AFTERBOOT(8) System Manager's Manual AFTERBOOT(8)

NAME
afterboot - things to check after the first complete boot

DESCRIPTION
Starting out
This document attempts to list items for the system administrator to
check and set up after the installation and first complete boot of the
system. The idea is to create a list of items that can be checked off so
that you have a warm fuzzy feeling that something obvious has not been
missed. A basic knowledge of UNIX is assumed, otherwise type:

$ help

Complete instructions for correcting and fixing items are not provided.
There are manual pages and other methodologies available for doing that.
For example, to view the man page for the ls(1) command, type:

$ man 1 ls

Administrators will rapidly become more familiar with OpenBSD if they get
used to using the high quality manual pages.

Some base programs and subsystems also come with sample configuration
files in _____________.

Errata
By the time that you have installed your system, it is possible that bugs
in the release have been found. Security or reliability fixes can be
found at https://www.openbsd.org/errata.html, and can be installed using
syspatch(8).

Login
Log in on the console, or over the network using ssh(1). For security
reasons, it is bad practice to log in as root during regular use and
maintenance of the system. Instead, administrators are encouraged to add
a "regular" user, add said user to the "wheel" group, then use the su(1)
and doas(1) commands when root privileges are required.

The installation process provides an option to set up a user account. By
default, accounts created via this method are automatically added to the
"wheel" group. If that option was not used, see the paragraph ___ ___
_____ below.

To deny root logins over the network, edit the ____________________ file
and set PermitRootLogin to "no" (see sshd_config(5)).

Root password
Change the password for the root user. (Note that throughout the
documentation, the term "superuser" is a synonym for the root user.)
Choose a password that has digits and special characters as well as from
the upper and lower case alphabet. Do not choose any word in any
language. It is common for an intruder to use dictionary attacks. Type
the following command to change it:

# passwd root

To avoid the possibility of rogue files placed in the superuser's PATH,
it should never contain the current directory (".").

System date
ntpd(8) is used to automatically synchronize clocks with remote NTP
servers. You can use ntpctl(8) to check the status. To change the NTP
server, see ntpd.conf(5).

Check the system date with the date(1) command. If needed, change the
date, and/or change the symbolic link of ______________ to the correct
time zone in the ___________________ directory.

Examples:

Set the current date to January 27th, 2016 3:04pm:
# date 201601271504

Set the time zone to Atlantic Standard Time:
# ln -fs /usr/share/zoneinfo/Canada/Atlantic /etc/localtime

Check hostname
Use the hostname command to verify that the name of your machine is
correct. See the man page for hostname(1) if it needs to be changed.
You will also need to edit the ___________ file to have it stick around
for the next reboot.

Verify network interface configuration and routing tables
The first thing to do is an ifconfig -a to see if the network interfaces
are properly configured. Correct by editing _______________________
(where _________ is the interface name, e.g., "em0") and then using
ifconfig(8) to manually configure it if you do not wish to reboot. Read
the hostname.if(5) man page for more information on the format of
_______________________ files.

See multicast(4) for instructions on configuring multicast routing. See
hostname.if(5) for instructions on configuring interfaces with DHCP.

Routing tables can be viewed by issuing a netstat -rn command. The
default gateway address is stored in the ___________ file. If you need
to edit this file, a painless way to reconfigure the network afterwards
is route flush followed by a sh -x /etc/netstart command. Or, you may
prefer to manually configure using a series of route add and route delete
commands (see route(8)).

If you wish to route packets between interfaces, add one or both of the
following directives (depending on whether IPv4 or IPv6 routing is
required) to ________________:

net.inet.ip.forwarding=1
net.inet6.ip6.forwarding=1

Packets are not forwarded by default, due to RFC requirements.

Check DNS
Use host(1) or dig(1) to check that domain name resolution is working
properly.

Most likely, the IP address of at least one domain name server was added
to resolv.conf(5) while installing the system. resolvd(8) maintains
________________ at runtime.

A hosts(5) file can be used if there is a need for system specific name
resolution entries.

Check disk mounts
Check that the disks are mounted correctly by comparing the __________
file against the output of the mount(8) and df(1) commands. Example:

# cat /etc/fstab
/dev/sd0a / ffs rw 1 1
/dev/sd0d /usr ffs rw,nodev 1 2
/dev/sd0e /var ffs rw,nodev,nosuid 1 3
/dev/sd0g /tmp ffs rw,nodev,nosuid 1 4
/dev/sd0h /home ffs rw,nodev,nosuid 1 5

# mount
/dev/sd0a on / type ffs (local)
/dev/sd0d on /usr type ffs (local, nodev)
/dev/sd0e on /var type ffs (local, nodev, nosuid)
/dev/sd0g on /tmp type ffs (local, nodev, nosuid)
/dev/sd0h on /home type ffs (local, nodev, nosuid)

# df
Filesystem 1024-blocks Used Avail Capacity Mounted on
/dev/sd0a 22311 14589 6606 69% /
/dev/sd0d 203399 150221 43008 78% /usr
/dev/sd0e 10447 682 9242 7% /var
/dev/sd0g 18823 2 17879 0% /tmp
/dev/sd0h 7519 5255 1888 74% /home

# pstat -s
Device 512-blocks Used Avail Capacity Priority
/dev/sd0b 131072 84656 46416 65% 0

Edit __________ and use the mount(8) and umount(8) commands as
appropriate. Refer to the above example and fstab(5) for information on
the format of this file.

You may wish to do NFS partitions now too, or you can do them later.

Check the running system
You can use ps(1), netstat(1), and fstat(1) to check on running
processes, network connections, and opened files, respectively.

FURTHER CHANGES
The system should be usable now, but you may wish to do more customizing,
such as adding users, etc. We suggest that you cd /etc and edit any
files in that directory as necessary.

Note that the _________ file is modified by _______ whenever the system
is booted. To keep any custom message intact, ensure that you leave two
blank lines at the top, or your message will be overwritten.

Add new users
Add users. There is an adduser(8) script. You may use vipw(8) to add
users to the ___________ file and edit __________ by hand to add new
groups. You may also wish to edit _______________ and tune some of the
limits documented in login.conf(5). The manual page for su(1) tells you
to make sure to put people in the `wheel' group if they need root access.
For example:

wheel:*:0:root,myself

System command scripts
The _________ scripts are invoked at boot time, after single-user mode
has exited, and at shutdown. The whole process is controlled, more or
less, by the master script _______. This script should not be changed by
administrators.

_______ is in turn influenced by the configuration variables present in
____________. Again, this script should not be changed by
administrators: site-specific changes should be made to (freshly created
if necessary) __________________ or by using the rcctl(8) utility.

Any commands which should be run before the system sets its secure level
should be made to ___________________, and commands to be run after the
system sets its secure level should be made to _____________. Commands
to be run before system shutdown should be set in ________________.

For more information about system startup/shutdown files, see rc(8),
rc.conf(8), securelevel(7), and rc.shutdown(8).

If you've installed X, you may want to turn on xenodm(1), the X Display
Manager. To do this, change the value of ____________ in
__________________.

Set keyboard type
Some architectures permit keyboard type control. Use the kbd(8) command
to change the keyboard encoding. kbd -l will list all available
encodings. kbd xxx will select the xxx encoding. Store the encoding in
____________ to make sure it is set automatically at boot time.

Printers
Edit _____________ and ______________ to get any printers set up.
Consult lpd(8) and printcap(5) if needed.

Audio and video recording
The audio(4) and video(4) drivers by default record only silence and
blanked images. Normal recording can be enabled by adding the following
directives to sysctl.conf(5):

kern.audio.record=1
kern.video.record=1

Power management
If the BIOS supports it, apmd(8) can be configured to act on different
events and adjust device performance. In the following example it is
configured to start on boot in automatic performance adjustment mode and
suspend the system if no AC is connected and the estimated battery life
is equal or below 15%:

# rcctl set apmd status on
# rcctl set apmd flags -A -z 15

Mail aliases
Edit _________________ and set the three standard aliases to go to either
a mailing list, or the system administrator.

# Well-known aliases -- these should be filled in!
root: sysadm
manager: root
dumper: root

Mail
The default mail agent on OpenBSD is smtpd(8). Details on how to
configure an alternative mailer are documented in mailer.conf(5).

OpenBSD ships with a default ____________________ file that will work for
simple installations. See smtpd.conf(5) for information on configuring
more complex setups. For the default installation, smtpd(8) is
configured to only accept connections from the local host. This makes it
possible to send mail locally, but not receive mail from remote servers,
which is ideal if you have one central incoming mail machine and several
clients. To cause smtpd to accept external network connections, modify
the listen on directive in ____________________ to include the interfaces
to listen on.

Daily, weekly, monthly scripts
Review daily(8) to understand what the periodic system maintenance
scripts do and how to customize them: For example, to enable ROOTBACKUP
or to add local maintenance code to ________________, _________________,
or __________________.

Tighten up security
You might wish to tighten up security more by editing __________ as when
installing X. Look at the other files in ____ and edit them as needed.
(Do not edit files ending in ___ -- like ______, _______, nor _________,
nor ___, nor any directories.)

Crontab (background running processes)
Check what is running by typing crontab -l as root and see if anything
unexpected is present. Do you need anything else? Do you wish to change
things? See crontab(5).

Next day cleanup
After the first night's security(8) run, change ownerships and
permissions on files, directories, and devices; root may have received
mail with subject: " daily insecurity output". This mail
contains a set of security recommendations, presented as a list looking
something like this:

var/mail:
permissions (0755, 0775)
etc/daily:
user (0, 3)

The best bet is to follow the advice in that list. The recommended
setting is the first item in parentheses, while the current setting is
the second one. This list is generated by mtree(8) using
__________________. Use chmod(1), chgrp(1), and chown(8) as needed.

Daemons
Enable/disable any daemon processes as necessary. intro(8) contains a
comprehensive guide to the various daemons available on the OpenBSD
system.

Packages
Install your own packages. The OpenBSD ports collection includes a large
set of third-party software. Most of it is available as binary packages
that you can install using pkg_add(1). See packages(7) for more details.
To start daemons installed from packages, see rc.d(8).

There is also other third-party software that is available in source form
only, either because it has not been ported to OpenBSD yet, or because
licensing restrictions make binary redistribution impossible. Sometimes
checking the mailing lists for past problems that people have encountered
will result in a fix posted.

Compiling a kernel
Information on building and modifying kernels is contained within
config(8).

SEE ALSO
doas(1), ksh(1), man(1), pkg_add(1), ps(1), vi(1), multicast(4), hier(7),
config(8), dmesg(8), ifconfig(8), intro(8), rcctl(8), sysctl(8)

HISTORY
This document first appeared in OpenBSD 2.2.

OpenBSD 7.2 April 13, 2022 OpenBSD 7.2