1.\" $NetBSD: afterboot.8,v 1.47 2010/06/26 11:26:17 jmmv Exp $ 2.\" $OpenBSD: afterboot.8,v 1.72 2002/02/22 02:02:33 miod Exp $ 3.\" 4.\" Originally created by Marshall M. Midden -- 1997-10-20, m4@umn.edu 5.\" Adapted to NetBSD by Julio Merino -- 2002-05-10, jmmv@NetBSD.org 6.\" 7.\" 8.\" Copyright (c) 2002-2008 The NetBSD Foundation, Inc. 9.\" All rights reserved. 10.\" 11.\" Redistribution and use in source and binary forms, with or without 12.\" modification, are permitted provided that the following conditions 13.\" are met: 14.\" 1. Redistributions of source code must retain the above copyright 15.\" notice, this list of conditions and the following disclaimer. 16.\" 2. Redistributions in binary form must reproduce the above copyright 17.\" notice, this list of conditions and the following disclaimer in the 18.\" documentation and/or other materials provided with the distribution. 19.\" 20.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 21.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 22.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 23.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 24.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 25.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 26.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 27.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 28.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 29.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 30.\" POSSIBILITY OF SUCH DAMAGE. 31.\" 32.\" 33.\" Copyright (c) 1997 Marshall M. Midden 34.\" All rights reserved. 35.\" 36.\" Redistribution and use in source and binary forms, with or without 37.\" modification, are permitted provided that the following conditions 38.\" are met: 39.\" 40.\" 1. Redistributions of source code must retain the above copyright 41.\" notice, this list of conditions and the following disclaimer. 42.\" 2. Redistributions in binary form must reproduce the above copyright 43.\" notice, this list of conditions and the following disclaimer in the 44.\" documentation and/or other materials provided with the distribution. 45.\" 3. All advertising materials mentioning features or use of this software 46.\" must display the following acknowledgement: 47.\" This product includes software developed by Marshall M. Midden. 48.\" 4. The name of the author may not be used to endorse or promote products 49.\" derived from this software without specific prior written permission. 50.\" 51.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 52.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 53.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 54.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 55.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 56.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 57.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 58.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 59.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 60.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 61.\" 62.Dd June 26, 2010 63.Dt AFTERBOOT 8 64.Os 65.Sh NAME 66.Nm afterboot 67.Nd things to check after the first complete boot 68.Sh DESCRIPTION 69.Ss Starting Out 70This document attempts to list items for the system administrator 71to check and set up after the installation and first complete boot of the 72system. 73The idea is to create a list of items that can be checked off so that you have 74a warm fuzzy feeling that something obvious has not been missed. 75A basic knowledge of 76.Ux 77is assumed. 78.Pp 79Complete instructions for correcting and fixing items is not provided. 80There are manual pages and other methodologies available for doing that. 81For example, to view the man page for the 82.Xr ls 1 83command, type: 84.Bd -literal -offset indent 85.Ic man 1 ls 86.Ed 87.Pp 88Administrators will rapidly become more familiar with 89.Nx 90if they get used to using the manual pages. 91.Ss Security alerts 92By the time that you have installed your system, it is quite likely that 93bugs in the release have been found. 94All significant and easily fixed problems will be reported at 95.Pa http://www.NetBSD.org/support/security/ . 96It is recommended that you check this page regularly. 97.Pp 98Additionally, you should set 99.Dq fetch_pkg_vulnerabilities=YES 100in 101.Pa /etc/daily.conf 102to allow your system to automatically update the local database of known 103vulnerable packages to the latest version available on-line. 104The system will later check, on a daily basis, if any of your installed 105packages are vulnerable based on the contents of this database. 106See 107.Xr daily.conf 5 108and 109.Xr security.conf 5 110for more details. 111.Ss Login 112Login as 113.Dq Ic root . 114You can do so on the console, or over the network using 115.Xr ssh 1 . 116If you have enabled the SSH daemon (see 117.Xr sshd 8 ) 118and wish to allow root logins over the network, edit the 119.Pa /etc/ssh/sshd_config 120file and set 121.Dq PermitRootLogin 122to 123.Dq yes 124(see 125.Xr sshd_config 5 ) . 126The default is to not permit root logins over the network 127after fresh install in 128.Nx . 129.Pp 130Upon successful login on the console, you may see the message 131.Dq We recommend creating a non-root account... . 132For security reasons, it is bad practice to login as root during 133regular use and maintenance of the system. 134In fact, the system will only let you login as root on a secure 135terminal. 136By default, only the console is considered to be a secure terminal. 137Instead, administrators are encouraged to add a 138.Dq regular 139user, add said user to the 140.Dq wheel 141group, then use the 142.Xr su 1 143command when root privileges are required. 144This process is described in more detail later. 145.Ss Root password 146Change the password for the root user. 147(Note that throughout the documentation, the term 148.Dq superuser 149is a synonym for the root user.) 150Choose a password that has numbers, digits, and special characters (not space) 151as well as from the upper and lower case alphabet. 152Do not choose any word in any language. 153It is common for an intruder to use dictionary attacks. 154Type the command 155.Ic /usr/bin/passwd 156to change it. 157.Pp 158It is a good idea to always specify the full path name for both the 159.Xr passwd 1 160and 161.Xr su 1 162commands as this inhibits the possibility of files placed in your execution 163.Ev PATH 164for most shells. 165Furthermore, the superuser's 166.Ev PATH 167should never contain the current directory 168.Po Dq \&. 169.Pc . 170.Ss System date 171Check the system date with the 172.Xr date 1 173command. 174If needed, change the date, and/or change the symbolic link of 175.Pa /etc/localtime 176to the correct time zone in the 177.Pa /usr/share/zoneinfo 178directory. 179.Pp 180Examples: 181.Bl -tag -width date 182.It Cm date 200205101820 183Set the current date to May 10th, 2002 6:20pm. 184.It Cm ln -fs /usr/share/zoneinfo/Europe/Helsinki /etc/localtime 185Set the time zone to Eastern Europe Summer Time. 186.El 187.Ss Console settings 188One of the first things you will likely need to do is to set up your 189keyboard map (and maybe some other aspects about the system console). 190To change your keyboard encoding, edit the 191.Dq Va encoding 192variable found in 193.Pa /etc/wscons.conf . 194.Pp 195.Xr wscons.conf 5 196contains more information about this file. 197.Ss Check hostname 198Use the 199.Ic hostname 200command to verify that the name of your machine is correct. 201See the man page for 202.Xr hostname 1 203if it needs to be changed. 204You will also need to change the contents of the 205.Dq Va hostname 206variable in 207.Pa /etc/rc.conf 208or edit the 209.Pa /etc/myname 210file to have it stick around for the next reboot. 211Note that 212.Dq Va hostname 213is supposed include a domainname, and that this should 214not be confused with YP (NIS) 215.Xr domainname 1 . 216If you are using 217.Xr dhclient 8 218to configure network interfaces, it might override these local hostname 219settings if your DHCP server specifies client's hostname with other network 220configurations. 221.Ss Verify network interface configuration 222The first thing to do is an 223.Ic ifconfig -a 224to see if the network interfaces are properly configured. 225Correct by editing 226.Pa /etc/ifconfig. Ns Ar interface 227or the corresponding 228.Dq Va ifconfig_ Ns Ar interface 229variable in 230.Xr rc.conf 5 231(where 232.Ar interface 233is the interface name, e.g., 234.Dq le0 ) 235and then using 236.Xr ifconfig 8 237to manually configure it 238if you do not wish to reboot. 239.Pp 240Alternatively, you can configure interfaces automatically via DHCP with 241.Xr dhclient 8 242if you have a DHCP server running somewhere on your network. 243To get 244.Xr dhclient 8 245to start automatically on boot, 246you will need to have this line in 247.Pa /etc/rc.conf : 248.Pp 249.Dl dhclient=YES 250.Pp 251See 252.Xr dhclient 8 253and 254.Xr dhclient.conf 5 255for more information on setting up a DHCP client. 256.Pp 257You can add new 258.Dq virtual interfaces 259by adding the required entries to 260.Pa /etc/ifconfig. Ns Ar interface . 261Read the 262.Xr ifconfig.if 5 263man page for more information on the format of 264.Pa /etc/ifconfig. Ns Ar interface 265files. 266The loopback interface will look something like: 267.Bd -literal -offset indent 268lo0: flags=8009\*[Lt]UP,LOOPBACK,MULTICAST\*[Gt] mtu 32972 269 inet 127.0.0.1 netmask 0xff000000 270 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 271 inet6 ::1 prefixlen 128 272.Ed 273.Pp 274an Ethernet interface something like: 275.Bd -literal -offset indent 276le0: flags=9863\*[Lt]UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST\*[Gt] 277 inet 192.168.4.52 netmask 0xffffff00 broadcast 192.168.4.255 278 inet6 fe80::5ef0:f0f0%le0 prefixlen 64 scopeid 0x1 279.Ed 280.Pp 281and a PPP interface something like: 282.Bd -literal -offset indent 283ppp0: flags=8051\*[Lt]UP,POINTOPOINT,RUNNING,MULTICAST\*[Gt] 284 inet 203.3.131.108 --\*[Gt] 198.181.0.253 netmask 0xffff0000 285.Ed 286.Pp 287See 288.Xr mrouted 8 289for instructions on configuring multicast routing. 290.Ss Check routing tables 291Issue a 292.Ic netstat -rn 293command. 294The output will look something like: 295.Bd -literal -offset indent 296Routing tables 297 298Internet: 299Destination Gateway Flags Refs Use Mtu Interface 300default 192.168.4.254 UGS 0 11098028 - le0 301127 127.0.0.1 UGRS 0 0 - lo0 302127.0.0.1 127.0.0.1 UH 3 24 - lo0 303192.168.4 link#1 UC 0 0 - le0 304192.168.4.52 8:0:20:73:b8:4a UHL 1 6707 - le0 305192.168.4.254 0:60:3e:99:67:ea UHL 1 0 - le0 306 307Internet6: 308Destination Gateway Flags Refs Use Mtu Interface 309::/96 ::1 UGRS 0 0 32972 lo0 =\*[Gt] 310::1 ::1 UH 4 0 32972 lo0 311::ffff:0.0.0.0/96 ::1 UGRS 0 0 32972 lo0 312fc80::/10 ::1 UGRS 0 0 32972 lo0 313fe80::/10 ::1 UGRS 0 0 32972 lo0 314fe80::%le0/64 link#1 UC 0 0 1500 le0 315fe80::%lo0/64 fe80::1%lo0 U 0 0 32972 lo0 316ff01::/32 ::1 U 0 0 32972 lo0 317ff02::%le0/32 link#1 UC 0 0 1500 le0 318ff02::%lo0/32 fe80::1%lo0 UC 0 0 32972 lo0 319.Ed 320.Pp 321The default gateway address is stored in the 322.Dq Va defaultroute 323variable in 324.Pa /etc/rc.conf , 325or in the file 326.Pa /etc/mygate . 327If you need to edit this file, a painless way to reconfigure the network 328afterwards is to issue 329.Bd -literal -offset indent 330.Ic /etc/rc.d/network restart 331.Ed 332.Pp 333Or, you may prefer to manually configure using a series of 334.Ic route add 335and 336.Ic route delete 337commands (see 338.Xr route 8 ) . 339If you run 340.Xr dhclient 8 341you will have to kill it by running 342.Bd -literal -offset indent 343.Ic /etc/rc.d/dhclient stop 344.Pp 345.Ed 346after you flush the routes. 347.Pp 348If you wish to route packets between interfaces, add one or both 349of the following directives (depending on whether IPv4 or IPv6 routing 350is required) to 351.Pa /etc/sysctl.conf : 352.Pp 353.Dl net.inet.ip.forwarding=1 354.Dl net.inet6.ip6.forwarding=1 355.Pp 356As an alternative, compile a new kernel with the 357.Dq GATEWAY 358option. 359Packets are not forwarded by default, due to RFC requirements. 360.Ss Secure Shell (SSH) 361By default, all services are disabled in a fresh 362.Nx 363installation, and SSH is no exception. 364You may wish to enable it so you can remotely control your system. 365Set 366.Dq Va sshd=YES 367in 368.Pa /etc/rc.conf 369and then starting the server with the command 370.Bd -literal -offset indent 371.Ic /etc/rc.d/sshd start 372.Ed 373.Pp 374The first time the server is started, it will generate a new keypair, 375which will be stored inside the directory 376.Pa /etc/ssh . 377.Ss BIND Name Server (DNS) 378If you are using the BIND Name Server, check the 379.Pa /etc/resolv.conf 380file. 381It may look something like: 382.Bd -literal -offset indent 383domain some.thing.dom 384nameserver 192.168.0.1 385nameserver 192.168.4.55 386search some.thing.dom. thing.dom. 387.Ed 388.Pp 389For further details, see 390.Xr resolv.conf 5 . 391Note the name service lookup order is set via 392.Xr nsswitch.conf 5 393mechanism. 394.Pp 395If using a caching name server add the line "nameserver 127.0.0.1" first. 396To get a local caching name server to run 397you will need to set 398.Dq named=YES 399in 400.Pa /etc/rc.conf 401and create the 402.Pa named.conf 403file in the appropriate place for 404.Xr named 8 , 405usually in 406.Pa /etc/namedb . 407The same holds true if the machine is going to be a 408name server for your domain. 409In both these cases, make sure that 410.Xr named 8 411is running 412(otherwise there are long waits for resolver timeouts). 413.Ss RPC-based network services 414Several services depend on the RPC portmapper 415.Xr rpcbind 8 416- formerly known as 417.Ic portmap 418- being running for proper operation. 419This includes YP (NIS) and NFS exports, among other services. 420To get the RPC portmapper to start automatically on boot, 421you will need to have this line in 422.Pa /etc/rc.conf : 423.Pp 424.Dl rpcbind=YES 425.Ss YP (NIS) Setup 426Check the YP domain name with the 427.Xr domainname 1 428command. 429If necessary, correct it by editing the 430.Pa /etc/defaultdomain 431file or by setting the 432.Dq Va domainname 433variable in 434.Pa /etc/rc.conf . 435The 436.Pa /etc/rc.d/network 437script reads this file on bootup to determine and set the domain name. 438You may also set the running system's domain name with the 439.Xr domainname 1 440command. 441To start YP client services, simply run 442.Ic ypbind , 443then perform the remaining 444YP activation as described in 445.Xr passwd 5 446and 447.Xr group 5 . 448.Pp 449In particular, to enable YP passwd support, you'll need to update 450.Pa /etc/nsswitch.conf 451to include 452.Dq nis 453for the 454.Dq passwd 455and 456.Dq group 457entries. 458A traditional way to accomplish the same thing is to 459add following entry to local passwd database via 460.Xr vipw 8 : 461.Bd -literal -offset indent 462.Li +:*:::::::: 463.Pp 464.Ed 465Note this entry has to be the very last one. 466This traditional way works with the default 467.Xr nsswitch.conf 5 468setting of 469.Dq passwd , 470which is 471.Dq compat . 472.Pp 473There are many more YP man pages available to help you. 474You can find more information by starting with 475.Xr nis 8 . 476.Ss Check disk mounts 477Check that the disks are mounted correctly by 478comparing the 479.Pa /etc/fstab 480file against the output of the 481.Xr mount 8 482and 483.Xr df 1 484commands. 485Example: 486.Bd -literal -offset indent 487.Li # Ic cat /etc/fstab 488/dev/sd0a / ffs rw 1 1 489/dev/sd0b none swap sw 490/dev/sd0e /usr ffs rw 1 2 491/dev/sd0f /var ffs rw 1 3 492/dev/sd0g /tmp ffs rw 1 4 493/dev/sd0h /home ffs rw 1 5 494 495.Li # Ic mount 496/dev/sd0a on / type ffs (local) 497/dev/sd0e on /usr type ffs (local) 498/dev/sd0f on /var type ffs (local) 499/dev/sd0g on /tmp type ffs (local) 500/dev/sd0h on /home type ffs (local) 501 502.Li # Ic df 503Filesystem 1024-blocks Used Avail Capacity Mounted on 504/dev/sd0a 22311 14589 6606 69% / 505/dev/sd0e 203399 150221 43008 78% /usr 506/dev/sd0f 10447 682 9242 7% /var 507/dev/sd0g 18823 2 17879 0% /tmp 508/dev/sd0h 7519 5255 1888 74% /home 509 510.Li # Ic pstat -s 511Device 512-blocks Used Avail Capacity Priority 512/dev/sd0b 131072 84656 46416 65% 0 513.Ed 514.Pp 515Edit 516.Pa /etc/fstab 517and use the 518.Xr mount 8 519and 520.Xr umount 8 521commands as appropriate. 522Refer to the above example and 523.Xr fstab 5 524for information on the format of this file. 525.Pp 526You may wish to do NFS mounts now too, or you can do them later. 527.Ss Concatenated disks (ccd) 528If you are using 529.Xr ccd 4 530concatenated disks, edit 531.Pa /etc/ccd.conf . 532You may wish to take a look to 533.Xr ccdconfig 8 534for more information about this file. 535Use the 536.Ic ccdconfig -U 537command to unload and the 538.Ic ccdconfig -C 539command to create tables internal to the kernel for the concatenated disks. 540You then 541.Xr mount 8 , 542.Xr umount 8 , 543and edit 544.Pa /etc/fstab 545as needed. 546.Ss Automounter daemon (AMD) 547To use the 548.Xr amd 8 549automounter, create the 550.Pa /etc/amd 551directory, copy example config files from 552.Pa /usr/share/examples/amd 553to 554.Pa /etc/amd 555and customize them as needed. 556Alternatively, you can get your maps with YP. 557.Ss Clock synchronization 558In order to make sure the system clock is synchronized 559to that of a publicly accessible NTP server, 560make sure that 561.Pa /etc/rc.conf 562contains the following: 563.Pp 564.Dl ntpdate=YES 565.Dl ntpd=YES 566.Pp 567See 568.Xr date 1 , 569.Xr ntpdate 8 , 570.Xr ntpd 8 , 571.Xr rdate 8 , 572and 573.Xr timed 8 574for more information on setting the system's date. 575.Sh CHANGING /etc FILES 576The system should be usable now, but you may wish to do more customizing, 577such as adding users, etc. 578Many of the following sections may be skipped 579if you are not using that package (for example, skip the 580.Sx Kerberos 581section if you won't be using Kerberos). 582We suggest that you 583.Ic cd /etc 584and edit most of the files in that directory. 585.Pp 586Note that the 587.Pa /etc/motd 588file is modified by 589.Pa /etc/rc.d/motd 590whenever the system is booted. 591To keep any custom message intact, ensure that you leave two blank lines 592at the top, or your message will be overwritten. 593.Ss Add new users 594To add new users and groups, there are 595.Xr useradd 8 596and 597.Xr groupadd 8 ; 598see also 599.Xr user 8 600for further programs for user and group manipulation. 601You may use 602.Xr vipw 8 603to add users to the 604.Pa /etc/passwd 605file 606and edit 607.Pa /etc/group 608by hand to add new groups. 609The manual page for 610.Xr su 1 , 611tells you to make sure to put people in 612the 613.Sq wheel 614group if they need root access (non-Kerberos). 615For example: 616.Bd -literal -offset indent 617wheel:*:0:root,myself 618.Ed 619.Pp 620Follow instructions for 621.Xr kerberos 8 622if using 623Kerberos 624for authentication. 625.Ss System boot scripts and /etc/rc.local 626.Pa /etc/rc 627and the 628.Pa /etc/rc.d/* 629scripts are invoked at boot time after single user mode has exited, 630and at shutdown. 631The whole process is controlled by the master script 632.Pa /etc/rc . 633This script should not be changed by administrators. 634.Pp 635The directory 636.Pa /etc/rc.d 637contains a series of scripts used at startup/shutdown, called by 638.Pa /etc/rc . 639.Pa /etc/rc 640is in turn influenced by the configuration variables present in 641.Pa /etc/rc.conf . 642.Pp 643The script 644.Pa /etc/rc.local 645is run as the last thing during multiuser boot, and is provided 646to allow any other local hooks necessary for the system. 647.Ss rc.conf 648To enable or disable various services on system startup, 649corresponding entries can be made in 650.Pa /etc/rc.conf . 651You can take a look at 652.Pa /etc/defaults/rc.conf 653to see a list of default system variables, which you can override in 654.Pa /etc/rc.conf . 655Note you are 656.Em not 657supposed to change 658.Pa /etc/defaults/rc.conf 659directly, edit only 660.Pa /etc/rc.conf . 661See 662.Xr rc.conf 5 663for further information. 664.Ss X Display Manager 665If you've installed X, you may want to turn on 666.Xr xdm 1 , 667the X Display Manager. 668To do this, set 669.Dq xdm=YES 670in 671.Pa /etc/rc.conf . 672.Ss Printers 673Edit 674.Pa /etc/printcap 675and 676.Pa /etc/hosts.lpd 677to get any printers set up. 678Consult 679.Xr lpd 8 680and 681.Xr printcap 5 682if needed. 683.Ss Tighten up security 684In 685.Pa /etc/inetd.conf 686comment out any extra entries you do not need, and only add things 687that are really needed. 688Note that by default all services are disabled for security reasons. 689.Ss Kerberos 690If you are going to use Kerberos for authentication, 691see 692.Xr kerberos 8 693and 694.Dq info heimdal 695for more information. 696If you already have a Kerberos master, change directory to 697.Pa /etc/kerberosV 698and configure. 699Remember to get a 700.Pa srvtab 701from the master so that the remote commands work. 702.Ss Mail Aliases 703Check 704.Pa /etc/mail/aliases 705and update appropriately if you want e-mail to be routed 706to non-local addresses or to different users. 707.Pp 708Run 709.Xr newaliases 1 710after changes. 711.Ss Postfix 712.Nx 713uses Postfix as its MTA. 714Postfix is started by default, but its initial configuration does not 715cause it to listen on the network for incoming connections. 716To configure Postfix, see 717.Pa /etc/postfix/main.cf 718and 719.Pa /etc/postfix/master.cf . 720If you wish to use a different MTA (e.g., sendmail), install your MTA of 721choice and edit 722.Pa /etc/mailer.conf 723to point to the proper binaries. 724.Ss DHCP server 725If this is a 726DHCP 727server, edit 728.Pa /etc/dhcpd.conf 729and 730.Pa /etc/dhcpd.interfaces 731as needed. 732You will have to make sure 733.Pa /etc/rc.conf 734has 735.Dq dhcpd=YES 736or run 737.Xr dhcpd 8 738manually. 739.Ss Bootparam server 740If this is a 741Bootparam 742server, edit 743.Pa /etc/bootparams 744as needed. 745You will have to turn it on in 746.Pa /etc/rc.conf 747by adding 748.Dq bootparamd=YES . 749.Ss NFS server 750If this is an NFS server, make sure 751.Pa /etc/rc.conf 752has: 753.Bd -literal -offset indent 754nfs_server=YES 755mountd=YES 756rpcbind=YES 757.Ed 758.Pp 759Edit 760.Pa /etc/exports 761and get it correct. 762After this, you can start the server by issuing: 763.Bd -literal -offset indent 764.Ic /etc/rc.d/rpcbind start 765.Ic /etc/rc.d/mountd start 766.Ic /etc/rc.d/nfsd start 767.Ed 768which will also start dependencies. 769.Ss HP remote boot server 770Edit 771.Pa /etc/rbootd.conf 772if needed for remote booting. 773If you do not have HP computers doing remote booting, do not enable this. 774.Ss Daily, weekly, monthly scripts 775Look at and possibly edit the 776.Pa /etc/daily.conf , /etc/weekly.conf , 777and 778.Pa /etc/monthly.conf 779configuration files. 780You can check which values you can set by looking 781to their matching files in 782.Pa /etc/defaults . 783Your site specific things should go into 784.Pa /etc/daily.local , /etc/weekly.local , 785and 786.Pa /etc/monthly.local . 787.Pp 788These scripts have been limited so as to keep the system running without 789filling up disk space from normal running processes and database updates. 790(You probably do not need to understand them.) 791.Ss Other files in /etc 792Look at the other files in 793.Pa /etc 794and edit them as needed. 795(Do not edit files ending in 796.Pa .db 797\(em like 798.Pa pwd.db , spwd.db , 799nor 800.Pa localtime , 801nor 802.Pa rmt , 803nor any directories.) 804.Ss Crontab (background running processes) 805Check what is running by typing 806.Ic crontab -l 807as root 808and see if anything unexpected is present. 809Do you need anything else? 810Do you wish to change things? 811For example, if you do not 812like root getting standard output of the daily scripts, and want only 813the security scripts that are mailed internally, you can type 814.Ic crontab -e 815and change some of the lines to read: 816.Bd -literal -offset indent 81730 1 * * * /bin/sh /etc/daily 2\*[Gt]\*[Am]1 \*[Gt] /var/log/daily.out 81830 3 * * 6 /bin/sh /etc/weekly 2\*[Gt]\*[Am]1 \*[Gt] /var/log/weekly.out 81930 5 1 * * /bin/sh /etc/monthly 2\*[Gt]\*[Am]1 \*[Gt] /var/log/monthly.out 820.Ed 821.Pp 822See 823.Xr crontab 5 . 824.Ss Next day cleanup 825After the first night's security run, change ownerships and permissions 826on files, directories, and devices; root should have received mail 827with subject: "\*[Lt]hostname\*[Gt] daily insecurity output.". 828This mail contains 829a set of security recommendations, presented as a list looking like this: 830.Bd -literal -offset indent 831var/mail: 832 permissions (0755, 0775) 833etc/daily: 834 user (0, 3) 835.Ed 836.Pp 837The best bet is to follow the advice in that list. 838The recommended setting is the first item in parentheses, while 839the current setting is the second one. 840This list is generated by 841.Xr mtree 8 842using 843.Pa /etc/mtree/special . 844Use 845.Xr chmod 1 , 846.Xr chgrp 1 , 847and 848.Xr chown 8 849as needed. 850.Ss Packages 851Install your own packages. 852The 853.Nx 854packages collection, pkgsrc, includes a large set of third-party software. 855A lot of it is available as binary packages that you can download from 856.Pa ftp://ftp.NetBSD.org/pub/NetBSD/packages/ 857or a mirror, and install using 858.Xr pkg_add 1 . 859See 860.Pa http://www.NetBSD.org/docs/pkgsrc/ 861and 862.Pa pkgsrc/doc/pkgsrc.txt 863for more details. 864.Pp 865Copy vendor binaries and install them. 866You will need to install any shared libraries, etc. 867(Hint: 868.Ic man -k compat 869to find out how to install and use compatibility mode.) 870.Pp 871There is also other third-party software that is available 872in source form only, either because it has not been ported to 873.Nx 874yet, because licensing restrictions make binary redistribution 875impossible, or simply because you want to build your own binaries. 876Sometimes checking the mailing lists for 877past problems that people have encountered will result in a fix posted. 878.Ss Check the running system 879You can use 880.Xr ps 1 , 881.Xr netstat 1 , 882and 883.Xr fstat 1 884to check on running processes, network connections, and opened files, 885respectively. 886Other tools you may find useful are 887.Xr systat 1 888and 889.Xr top 1 . 890.Sh COMPILING A KERNEL 891Note: 892The standard 893.Nx 894kernel configuration (GENERIC) is suitable for most purposes. 895.Pp 896First, review the system message buffer in 897.Pa /var/run/dmesg.boot 898and by using the 899.Xr dmesg 8 900command to find out information on your system's devices as probed by the 901kernel at boot. 902In particular, note which devices were not configured. 903This information will prove useful when editing kernel configuration files. 904.Pp 905To compile a kernel inside a writable source tree, do the following: 906.Bd -literal -offset indent 907$ cd /usr/src/sys/arch/SOMEARCH/conf 908$ cp GENERIC SOMEFILE (only the first time) 909$ vi SOMEFILE (adapt to your needs) 910$ config SOMEFILE 911$ cd ../compile/SOMEFILE 912$ make depend 913$ make 914.Ed 915.Pp 916where 917.Ar SOMEARCH 918is the architecture (e.g., i386), and 919.Ar SOMEFILE 920should be a name indicative of a particular configuration (often 921that of the hostname). 922.Pp 923If you are building your kernel again, before you do a 924.Ic make 925you should do a 926.Ic make clean 927after making changes to your kernel options. 928.Pp 929After either of these two methods, you can place the new kernel (called 930.Pa netbsd ) 931in 932.Pa / 933(i.e., 934.Pa /netbsd ) 935by issuing 936.Ic make install 937and the system will boot it next time. 938The old kernel is stored as 939.Pa /onetbsd 940so you can boot it in case of failure. 941.Pp 942If you are using toolchain to build your kernel, you will also need to 943build a new set of toolchain binaries. 944You can do it by changing into 945.Pa /usr/src 946and issuing: 947.Bd -literal -offset indent 948$ cd /usr/src 949$ K=sys/arch/`uname -m`/conf 950$ cp $K/GENERIC $K/SOMEFILE 951$ vi $K/SOMEFILE (adapt to your needs) 952$ ./build.sh tools 953$ ./build.sh kernel=SOMEFILE 954.Ed 955.Sh SYSTEM TESTING 956At this point, the system should be fully configured to your liking. 957It is now a good time to ensure that the system behaves according to 958its specifications and that it is stable on your hardware. 959Please refer to 960.Xr tests 7 961for details on how to do so. 962.Sh SEE ALSO 963.Xr chgrp 1 , 964.Xr chmod 1 , 965.Xr config 1 , 966.Xr crontab 1 , 967.Xr date 1 , 968.Xr df 1 , 969.Xr domainname 1 , 970.Xr fstat 1 , 971.Xr hostname 1 , 972.Xr make 1 , 973.Xr man 1 , 974.Xr netstat 1 , 975.Xr newaliases 1 , 976.Xr passwd 1 , 977.Xr pkg_add 1 , 978.Xr ps 1 , 979.Xr ssh 1 , 980.Xr su 1 , 981.Xr systat 1 , 982.Xr top 1 , 983.Xr xdm 1 , 984.Xr ccd 4 , 985.Xr aliases 5 , 986.Xr crontab 5 , 987.Xr dhclient.conf 5 , 988.Xr exports 5 , 989.Xr fstab 5 , 990.Xr group 5 , 991.Xr ifconfig.if 5 , 992.Xr mailer.conf 5 , 993.Xr nsswitch.conf 5 , 994.Xr passwd 5 , 995.Xr printcap 5 , 996.Xr rc.conf 5 , 997.Xr resolv.conf 5 , 998.Xr sshd_config 5 , 999.Xr wscons.conf 5 , 1000.Xr hier 7 , 1001.Xr hostname 7 , 1002.Xr pkgsrc 7 , 1003.Xr tests 7 , 1004.Xr amd 8 , 1005.Xr ccdconfig 8 , 1006.Xr chown 8 , 1007.Xr dhclient 8 , 1008.Xr dhcpd 8 , 1009.Xr dmesg 8 , 1010.Xr groupadd 8 , 1011.Xr ifconfig 8 , 1012.Xr inetd 8 , 1013.Xr kerberos 8 , 1014.Xr lpd 8 , 1015.Xr mount 8 , 1016.Xr mrouted 8 , 1017.Xr mtree 8 , 1018.Xr named 8 , 1019.Xr nis 8 , 1020.Xr ntpd 8 , 1021.Xr ntpdate 8 , 1022.Xr rbootd 8 , 1023.Xr rc 8 , 1024.Xr rdate 8 , 1025.Xr rmt 8 , 1026.Xr route 8 , 1027.Xr rpc.bootparamd 8 , 1028.Xr rpcbind 8 , 1029.Xr sshd 8 , 1030.Xr timed 8 , 1031.Xr umount 8 , 1032.Xr useradd 8 , 1033.Xr vipw 8 , 1034.Xr yp 8 , 1035.Xr ypbind 8 1036.Sh HISTORY 1037This document first appeared in 1038.Ox 2.2 . 1039It has been adapted to 1040.Nx 1041and first appeared in 1042.Nx 2.0 . 1043