|
OpenBSD Installation and Upgrading Installing and upgrading OpenBSD. |
|
Thread Tools | Display Modes |
|
|||
I am in process of documenting my install.site/siteXXX.tgz framework. See my PM to you
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
||||
Quote:
1. Appending and replacing bunch of files at /etc/ as pf.conf, rc.conf.local, group, dhcpd.conf, sudoers, resolv.conf, sysctl.conf, printcap as well as foomatic directory populated by PPDs for printers. 2. I also need to upload scanner firmware into /usr/local/share/sane/snapscan 3. The permissions for printers, scanners and USBs have to be adjusted so that users can use them 4. Packages should install and configure automatically. 5. dotfiles should install automatically per user. What I am really after is a standard security harden desktop which can be installed with minimal human intervention in 20-30 minutes. Most Kind Regards, OKO |
|
|||||
Quote:
Code:
echo --- patch script for: sysctl.conf --- BEGIN # --- edit the following line if needed FILE=./sysctl.conf FILE=/etc/sysctl.conf # --- patch it ! cat <<END_OF_PATCH | patch -b -p0 ${FILE} --- ORIG/sysctl.conf Wed Aug 8 14:19:57 2007 +++ NEW/sysctl.conf Wed Aug 8 14:59:26 2007 @@ -4,7 +4,7 @@ # boot time. See sysctl(3) and sysctl(8) for more information on # the many available variables. # -#net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) of IPv4 packets +net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) of IPv4 packets #net.inet.ip.mforwarding=1 # 1=Permit forwarding (routing) of IPv4 multicast packets #net.inet.ip.multipath=1 # 1=Enable IP multipath routing #net.inet6.ip6.forwarding=1 # 1=Permit forwarding (routing) of IPv6 packets END_OF_PATCH echo --- patch script for: sysctl.conf --- END To replace complete files, you create a 'shadow' file system, populate this file sytem with whatever you want to overwrite the original ones. Code:
# pwd /root/SITEXX # ls -lR FILES drwxr-xr-x 2 root wheel 512 Feb 14 06:53 etc drwx------ 2 root wheel 512 Feb 14 06:57 root FILES/etc: -rw------- 1 root wheel 18 Feb 14 06:53 pf.conf FILES/root: -rw-r----- 1 root wheel 1590 Mar 8 2010 PKGenv -rw-r----- 1 root wheel 244 Mar 14 2010 _boot-bsd.rd -rw-r----- 1 root wheel 764 Jan 31 2010 _serialconsole -rw-r----- 1 root wheel 1126 Jan 27 2010 format_fstab Code:
# make sitexx WARNING: No install.site !!! tar cvzf site49.tgz -C FILES . . ./etc ./etc/pf.conf ./root ./root/format_fstab ./root/_serialconsole ./root/_boot-bsd.rd ./root/PKGenv Normally it will also add an 'install.site' script. Because in this case it did not exist, a warning is issued. Quote:
Besides the 'siteXX.tgz' file, the OpenBSD installer also automagically untars a file called 'siteXX-HOSTNAME.tgz' for host/box specific files. A sibling directory of the above mentioned directory FILES is FILES.plato Code:
# ls -lR FILES.plato drwxr-xr-x 3 root wheel 512 Feb 17 08:05 etc -rw-r--r-- 1 root wheel 28 Feb 17 03:07 plato.txt FILES.plato/etc: -rw------- 1 root wheel 1758 Feb 24 2010 pf.conf drwxr-xr-x 2 root wheel 512 Feb 17 08:04 skel FILES.plato/etc/skel: -rw--r--r-- 1 root wheel 118 Feb 17 08:04 .exrc Code:
# make sitebox tar cvzf site49-plato.tgz -C FILES.plato . . ./plato.txt ./etc ./etc/pf.conf ./etc/skel ./etc/skel/.exrc Quote:
Quote:
Code:
# --- export PKG_PATH="=pkg_path=" export PKG_CACHE=/home/packages mkdir -p ${PKG_CACHE} PACKAGES="=packages=" echo Installing the following packages from $PKG_PATH echo $PACKAGES | tr ' ' '\n' echo ------------------------------------------------- pkg_add -v $PACKAGES echo ===End of 'pkg_add'=== These values are defined as Makefile variables, initialized with the contents of files. The 'patched' result is then appended to 'install.site'. BTW I only install simple packages with not too many dependencies in the install.site. No gnome, kde or even firefox. I do that when the system is being rebooted for the first time. Remember that during install time you have a rather limited environment. Quote:
Or use a simple shell snippet like '_exrc.root' for 'install.site': Code:
#---------------------------------------- FILE=/root/.exrc #FILE=$( basename ${FILE} ) echo Creating ${FILE} cat <<END > ${FILE} set showmode set verbose set ruler set number set autoindent set prompt set showmatch set shiftwidth=4 set windowname END Code:
# --- script building blocks --- COMMON= \ _ksh-prompt \ _disable-inetd \ _comment-inetd.conf \ _user-j65nko-snap \ _rootmail-to-j65nko \ _sshpubkey-j65nko \ _sshd-inet-noroot \ _ssh_config-inet-protocol2 \ _sudo-wheel \ _PKGenv-i386 # -- individual blocks : parts.${BOX} parts.apollo= \ _ntp-server-192.168.222.10 \ _start-ntpd \ _softupdates_adefghi parts.althusser= \ _ntp-server-192.168.222.10 \ _start-ntpd \ _softupdates_a # -- AMD64 board parts.hercules= \ _ntp-server-192.168.222.10 \ _enable_lpd \ _softupdates_a \ _PKGenv-amd64 Code:
SCRIPT = ${COMMON} ${parts.${BOX}} sh.pkg Now the makefile only has to do a : Code:
cat ${SRIPT} >install.site It is neither difficult nor complicated
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Help with Home connection site to site vpn setup | badguy | OpenBSD Security | 3 | 25th October 2010 05:15 PM |
Routing between site-to-site tunnels | docrice | OpenBSD General | 5 | 26th September 2008 09:21 AM |
OBSD 4.3 Customize site43 & install.site problems | gamaliel | OpenBSD Installation and Upgrading | 7 | 3rd June 2008 03:25 PM |
Bare Minimum Site-to-Site VPN on OpenBSD | ai-danno | Guides | 0 | 20th May 2008 12:45 AM |
Transferring away from the other site... | s2scott | Feedback and Suggestions | 2 | 5th May 2008 09:47 AM |