None of this is necessary or recommended, OpenBSD is already "hardened".. bumping the kern.securelevel will only serve to bite you in the butt.
Setting the schg flag is just silly, you'll have to boot into single-user mode if you ever need to recompile your kernel or adjust firewall rules.. you cannot remove those flags unless the securelevel is <= 0.
Swap is already encrypted, vm.swapencrypt.enable is already 1.. redundant much?
The services running as part of inetd are not insecure, and if you're concerned that someone will find a problem.. block access using pf.
There is no telnetd included with OpenBSD, that makes no sense at all.
OpenBSD "as-is" has been audited by some very intelligent people, the term "secure by default" isn't just a slogan.. they have 10 years of a fairly clean track record to prove it.
Want to harden the system? learn more about it first.. you'll find you have no reason to make such drastic changes to the base system.
|