The second email is the daily security audit, and it checks file permissions in the base system to make sure that files which should not be executable are not, and that configuration fil
Trang 1Ruby can be installed through Ports in the /usr/ports/lang/ruby directory, with other Ruby-related software being in /usr/ports/devel and /usr/ports/www/ with a ruby- prefix If you're looking for Ruby on Rails, you can find it in /usr/ports/www/ruby-rails
8.5 Python
Python 2.3 and 2.4 are available through Ports in the /usr/ports/lang/python
directory Extra Python modules and other Python-related software can generally
be found in the /usr/ports/devel directory with a py- prefix Some Apache-specific Python software can be found in the /usr/ports/www directory
Chapter 9 Automation and Reporting
Since "The OpenBSD Crash Course" is not a guide to the Unix/BSD/GNU
command-line environment, the exact usage of the system logger and the cron daemon will not be covered here The sections below cover how to use them on OpenBSD, but if you want a full explanation of what they are and what they do, you'll have to look up their manpages
9.1 The Cron Daemon
OpenBSD's automatic script execution utility is Vixie-cron, and like most cron implementations on other Unix-like operating systems, OpenBSD's cron table can
be edited with the crontab -e command The default editor for this function is
vi If you run crontab right now as the root user, you'll notice that it's already got a page or so worth of entries Most of these are necessary for regular OpenBSD maintenance, though you can certainly adjust them if needed Each user has his own private cron table, but if you want to restrict this privilege to only certain users, you can do so with the /var/cron/cron.allow and/or the /var/cron/cron.deny config files You may want to take a look around /var/cron to see some of the other files there as well
OpenBSD's cron can perform commands or scripts in two time-interval formats:
the traditional five-number time format (Mins Hours Days Months Day
of the week) and simpler word formats:
@monthly
@weekly
@daily
@hourly
Trang 2Hourly is at the top of the hour, daily tasks are performed at midnight, weekly is Sunday, and monthly is on the first of every month
The OpenBSD standard cron scripts are /etc/daily, /etc/weekly, and /etc/monthly, all of which have default entries in root's crontab
9.2 Insecurity Reports
At some point in the future, you may notice that the root account gets two daily email messages from the system These are regulated by the /etc/daily script and run via cron early in the morning
One email is the daily output report, and it tells you how much traffic your network devices handled and the state of your disk partitions and filesystems It's helpful to keep an eye on these things to make sure that you don't run out of disk space and that there are no software problems (which can cause unusually high or low
network bandwidth numbers)
The second email is the daily security audit, and it checks file permissions in the base system to make sure that files which should not be executable are not, and that configuration files that should not be world-readable are protected Some files may actually show a diff of the changes in certain files like /etc/resolv.conf
9.3 Syslog
There's nothing fancy about OpenBSD's system logger: it's the plain old syslog that you know and love It outputs to /var/log/messages unless specifically split into separate files via the /etc/syslog.conf file By default the system log output is
distributed to several topic-specific files in /var You may want to look this config file over to make sure it's reporting to your preferences
Chapter 10 Keeping OpenBSD Up-to-Date
While OpenBSD may have had only one remote security hole in the default install
in more than 10 years, the stats are a little different for nondefault installs The more services you enable and the more programs you install, the more you have to worry about applying security patches The below subsections will tell you how to keep your operating environment up-to-date with the latest security patches
Trang 3No matter what operating system you use, securing it is a process, not an event Most of the below processes should be made into scripts and automated through cron, or manually performed on a regular (probably weekly or monthly) basis
10.1 Staying Up-to-Date with Ports and Packages
If you followed the earlier directions for setting the PKG_PATH and
FETCH_PACKAGES variables, all you have to do to update your packages is run this command:
pkg_add -ui
If you have programs compiled through Ports, you'll have to update the Ports tree
in accordance with the -STABLE branch (also known as the "patch branch") to get updated security patches With the sole exception of OpenSSH, new versions of programs are never made available through the patch branch; all you get are
patches for security holes If you want newer versions, you have to run
-CURRENT (the active development branch of OpenBSD) or wait a few months for the next official release If you run a CURRENT Ports tree, you must run a
-CURRENT source tree as well The CURRENT branch is meant for OpenBSD developers and people who like to work with rapidly changing and possibly
experimental software; do not use it in a production environment
Here's how to switch Ports from the -RELEASE to the -STABLE branch to keep everything secure and up-to-date:
1 You start by updating the Ports infrastructure so that it includes post-release patches To do this, you need to know an anonymous OpenBSD CVS server address There is a complete and current list of OpenBSD 4.0 AnonCVS servers on this site: http://www.openbsd.org/anoncvs.html#CVSROOT
2 Make that CVS server the default for your system by editing the ~/.profile config file and adding this line somewhere (substitute your chosen
AnonCVS mirror for the one in the example):
3 export CVSROOT=anoncvs@anoncvs1.usa.openbsd.org:/cvs
Trang 4
4 The above setting will not take effect until you log out and log back in, so make it valid for the current session by typing the same line above into a root terminal (again, substitute your chosen mirror):
5 export CVSROOT=anoncvs@anoncvs1.usa.openbsd.org:/cvs
6 Now you're ready to update the Ports tree Change to its directory:
7 cd /usr/ports
8 Next, fetch the updated code:
9 cvs -q up -r OPENBSD_4_0 -Pd
10 Now recompile or refetch updated packages:
11 make update
Once it's done compiling, your Ports tree will be up-to-date You should probably also switch your base system to the patch branch as well Go on to the next
subsection to learn how to do that
One last note: The preceding change to the ~/.profile configuration file will work only for the current user, which is assumed to be root If you are using the su
command to switch to root permissions from an unprivileged user account, you will have to make this change to that user's ~/.profile as well
10.2 Switching to the OpenBSD 4.0-STABLE Branch
Switching to the -STABLE edition of OpenBSD 4.0 means that you will have to recompile the base system from source code This will take up a significant amount
of space in /usr/src, and it will take anywhere from a half-hour to several hours to perform the recompile In other words, this is not a trivial process, and on a
production server should be scheduled for off-peak hours
Let's get started:
Trang 51 The first thing you have to do to switch to the patch branch is to download the updated source code for your system If you do not currently have the OpenBSD source code installed in /usr/src, it will be easier to download the source tarball from an OpenBSD FTP mirror or disc 3 of the official CD set than it will be to download everything from the AnonCVS server The file is called src.tar.gz, and you want to unpack it to the /usr/src directory There are instructions for doing this earlier in "The OpenBSD Crash Course."
2 Next you need to update the source code to include post-release patches To
do that, you need to know an anonymous OpenBSD CVS server address There is a complete and current list of OpenBSD 4.0 AnonCVS servers on this site:
3 Make that CVS server the default for your system by editing the ~/.profile config file as instructed in the previous section
4 The above step will not take effect until you log out and log back in, so make it valid for the current session by typing in the same line above into a root terminal (again, substitute your chosen mirror):
5 export CVSROOT=anoncvs@anoncvs1.usa.openbsd.org:/cvs
6 Now you need to get into the proper directory:
7 cd /usr
8 Then you need to use CVS to fetch the -STABLE source code:
9 cvs checkout -P -rOPENBSD_4_0 src
10 Once the code is done downloading, it's time to compile it You're going to start with the kernel, then reboot into the new kernel, then recompile the rest
of the base system (sometimes referred to as the "userland") and then reboot one last time
Start with rebuilding the kernel Change to the kernel configuration directory (replace i386 with amd64 if that's your architecture):