Thursday, June 16, 2005

FreeBSD Post-Installation Tasks

Last night I installed FreeBSD 5.4 on my Dell PowerEdge 2300 server. Immediately following the installation, these are the tasks I performed. These are the same post-installation tasks I perform, in the same order, on every FreeBSD system I build.

1. When I install FreeBSD, I create a user and give him the /bin/sh shell. I used Linux before I used FreeBSD, and I remain more familiar with bash. Therefore, I install the most recent package available. I do this using the PACKAGESITE environment variable. Notice how pkg_add satisfies dependencies automatically.

$ su -
Password:
janney# setenv PACKAGESITE
ftp://ftp2.freebsd.org/pub/FreeBSD/ports/i386/packages-5-stable/Latest/
janney# pkg_add -r bash
Fetching ftp://ftp2.freebsd.org/pub/FreeBSD/ports/i386/packages-5-stable/
Latest/bash.tbz... Done.
Fetching ftp://ftp2.freebsd.org/pub/FreeBSD/ports/i386/packages-5-stable/
All/libiconv-1.9.2_1.tbz... Done.
Fetching ftp://ftp2.freebsd.org/pub/FreeBSD/ports/i386/packages-5-stable/
All/gettext-0.14.4_1.tbz... Done.
janney# rehash

I need the rehash command so root's shell can find bash, or any newly installed program. I now use chsh to my user's shell from /bin/sh to /usr/local/bin/bash. Thanks to erson from Sweden for the tip!

$ chsh -s /usr/local/bin/bash
Password:
chsh: user information updated

Now I install freebsd-update to facilitate fixing any kernel and OS security vulnerabilities.

janney# pkg_add -r freebsd-update
Fetching ftp://ftp2.freebsd.org/pub/FreeBSD/ports/i386/packages-5-stable/
Latest/freebsd-update.tbz... Done.
Fetching ftp://ftp2.freebsd.org/pub/FreeBSD/ports/i386/packages-5-stable/
All/bsdiff-4.2.tbz... Done.
janney# rehash
janney# cp /usr/local/etc/freebsd-update.conf.sample /usr/local/etc/freebsd-update.conf
janney# mkdir /usr/local/freebsd-update
janney# freebsd-update fetch
Fetching public key...
Fetching updates signature...
Fetching updates...
Fetching hash list signature...
Fetching hash list...
Examining local system...
Fetching updates...
/usr/bin/gunzip...
/usr/bin/gzcat...
/usr/bin/gzip...
/usr/bin/zcat...
/usr/include/machine/cpufunc.h...
/usr/sbin/tcpdump...
Updates fetched

To install these updates, run: '/usr/local/sbin/freebsd-update install'

janney# freebsd-update install
Backing up /usr/bin/gunzip...
Installing new /usr/bin/gunzip...
Backing up /usr/bin/gzcat...
Recreating hard link from /usr/bin/gunzip to /usr/bin/gzcat...
Backing up /usr/bin/gzip...
Recreating hard link from /usr/bin/gunzip to /usr/bin/gzip...
Backing up /usr/bin/zcat...
Recreating hard link from /usr/bin/gunzip to /usr/bin/zcat...
Backing up /usr/include/machine/cpufunc.h...
Installing new /usr/include/machine/cpufunc.h...
Backing up /usr/sbin/tcpdump...
Installing new /usr/sbin/tcpdump...

All of these updates affected the userland. No changes to the kernel were made. If kernel changes were involved, I would have to reboot to have them take effect.

I continue with portaudit. This program checks installed packages for security vulnerabilities. portaudit compares the installed packages against a database it downloads.

janney# pkg_add -r portaudit
Fetching ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-5.4-release/
Latest/portaudit.tbz... Done.

===> To check your installed ports for known vulnerabilities now, do:

/usr/local/sbin/portaudit -Fda

janney# rehash
janney# portaudit -Fda
auditfile.tbz 100% of 25 kB 79 kBps
New database installed.
Database created: Thu Jun 16 09:10:15 EDT 2005
0 problem(s) in your installed packages found.

Next I install portsnap to update my ports tree. I don't install the ports tree on systems I build to be appliances. On general purpose servers, however, I like having the ports tree available. A current ports tree is needed if you want to use portupgrade (described later) to assess and update installed packages.

janney# pkg_add -r portsnap
Fetching ftp://ftp2.freebsd.org/pub/FreeBSD/ports/i386/packages-5-stable/
Latest/portsnap.tbz... Done.
Fetching ftp://ftp2.freebsd.org/pub/FreeBSD/ports/i386/packages-5-stable/
All/freebsd-sha256-20050310.tbz... Done.
janney# rehash
janney# cp /usr/local/etc/portsnap.conf.sample /usr/local/etc/portsnap.conf
janney# portsnap fetch
Fetching public key... done.
Fetching snapshot tag... done.
Fetching snapshot metadata... done.
Fetching snapshot generated at Wed Jun 15 20:51:48 EDT 2005:
2cae03da4bde1d1eb260ce3e6eb237f014d930245442fe100% of 34 MB 469 kBps 00m00s
Extracting snapshot... done.
Verifying snapshot integrity...
Fetching snapshot tag... done.
Fetching snapshot metadata... done.
Updating from Wed Jun 15 20:51:48 EDT 2005 to Thu Jun 16 06:39:30 EDT 2005.
Fetching 4 metadata patches... done.
Applying metadata patches... done.
Fetching 0 metadata files... done.
Fetching 33 patches.....10....20....30. done.
Applying patches... done.
Fetching 5 new ports or files... done.
janney# portsnap extract
/usr/ports/.cvsignore
/usr/ports/CHANGES
/usr/ports/LEGAL
/usr/ports/MOVED
/usr/ports/Makefile
/usr/ports/Mk/bsd.autotools.mk
/usr/ports/Mk/bsd.emacs.mk
/usr/ports/Mk/bsd.gcc.mk
...edited...
Building new INDEX files... done.

Next I install portupgrade. This is the best way I've found to keep packages up-to-date.

janney# pkg_add -r portupgrade
Fetching ftp://ftp2.freebsd.org/pub/FreeBSD/ports/i386/packages-5-stable/
Latest/portupgrade.tbz... Done.
Fetching ftp://ftp2.freebsd.org/pub/FreeBSD/ports/i386/packages-5-stable/
All/ruby-1.8.2_3.tbz... Done.
...edited...
Fetching ftp://ftp2.freebsd.org/pub/FreeBSD/ports/i386/packages-5-stable/
All/ruby18-bdb1-0.2.2.tbz... Done.

I run portversion to quickly see what packages need updating. I will take care of that later.

janney:/root# rehash
janney:/root# portversion -v -l "<"
[Rebuilding the pkgdb in /var/db/pkg ... - 32 packages foun.................... done]
[Updating the portsdb in /usr/ports ... - 13089 port entries found
.........1000.........2000.........3000.........4000.........5000.........6000........
.7000.........8000.........9000.........10000.........11000.........12000.........
13000 ..... done]
expat-1.95.8 < needs updating (port has 1.95.8_3)
pkgconfig-0.15.0_1 < needs updating (port has 0.17.2)
png-1.2.8_1 < needs updating (port has 1.2.8_2)
portupgrade-20041226_3 < needs updating (port has 20041226_4)
xorg-server-6.8.2 < needs updating (port has 6.8.2_2)
xterm-200_2 < needs updating (port has 202)

I edit root's .cshrc as follows to change the prompt.

# set prompt = "`/bin/hostname -s`# "
set prompt = "%m:%/# "

The prompt will now look like this.

janney:/root#

I make a similar edit to my user prompt in the .profile file for my user's bash shell/.

PS1='`hostname -s`:$PWD$ '; export PS1

The prompt will now look like this.

janney:/home/richard$

Finally I run the sockstat command to see if there are any listening services for which I cannot account. This box is running NFS by design, so there are more listening services that usual.

janney# sockstat -4
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
richard sshd 56174 5 tcp4 192.168.2.7:22 192.168.2.5:55803
root sshd 56171 5 tcp4 192.168.2.7:22 192.168.2.5:55803
root sendmail 408 4 tcp4 127.0.0.1:25 *:*
root sshd 402 4 tcp4 *:22 *:*
root nfsd 326 3 tcp4 *:2049 *:*
root mountd 324 4 udp4 *:782 *:*
root mountd 324 5 tcp4 *:797 *:*
root rpcbind 257 9 udp4 *:111 *:*
root rpcbind 257 10 udp4 *:686 *:*
root rpcbind 257 11 tcp4 *:111 *:*
root syslogd 244 6 udp4 *:514 *:*

If I need to recompile the kernel, I take that step next. On most systems I do not have to recompile the kernel.

From here I begin adding packages and other customizations to make this system perform its specific role.

16 comments:

Anonymous said...

I think you meant PACKAGEROOT instead of PACKAGESITE - seems that if the latter is defined, pkg_add will look in that exact location for 'package'.tbz instead of performing some kind of search for the version, directory, etc.

Another great article, thanks - and just in time as I'm setting up a jail and seems that sysinstall can't be run from within a jail. You're other articles on keeping freebsd up to date and using portupgrade are also extremely useful!

Richard Bejtlich said...

Hello,

Interesting -- I've never used PACKAGEROOT before. As you can see, I use PACKAGESITE and ftp://ftp2.freebsd.org/pub/FreeBSD/ports/i386/packages-5-stable/Latest/ as the directory and everything works. Let us know how your jail goes!

Joe said...

Thanks for the up-to-date info on updating!

Joe said...

Does such a process exist for OpenBSD? I use OpenBSD for my sensors and really dislike syncing source and rebuilding everything.

Richard Bejtlich said...

There are binary updates for OpenBSD that can be applied manually. Check out this previous blog entry.

Anonymous said...

I find it more readable if you
configure the prompt as such:
rather than, say,
[something]:$
add several :::
like
[something]:::curr_dir:::
so $pwd is always visible immediately

erson from Sweden said...

You might already know this but I'm sure others don't.

Instead of using vipw to change your shell you could use the command "chsh -s /usr/local/bin/bash". In my opinion a wee bit more neat than to directly edit the password file.

Great blog btw, I read it regularly and really like these little freebsd howto:s that you put up now and then.

Richard Bejtlich said...

Excellent advice -- I just altered the blog entry to reflect using chsh.

Anonymous said...

freebsd 4.11
# cd /usr/ports/security/portaudit
# make install
..... skip.....
# cd /usr/ports/sysutils/portupgrade
# make install
===> Extracting for portupgrade-20041226_4
=> Checksum OK for pkgtools-20041224.tar.bz2.
=> Checksum OK for pkgtools-20041224-20041226.diff.bz2.
===> portupgrade-20041226_4 depends on file: /usr/local/bin/ruby18 - not found
===> Verifying install for /usr/local/bin/ruby18 in /usr/ports/lang/ruby18
===> ruby-1.8.2_3 has known vulnerabilities:
=> ruby -- arbitrary command execution on XMLRPC server.
Reference: www.FreeBSD.org/ports/portaudit/594eb447-e398-11d9-a8bd-000cf18bbe54.html
=> Please update your ports tree and try again.
*** Error code 1

Stop in /usr/ports/lang/ruby18.
*** Error code 1

Stop in /usr/ports/sysutils/portupgrade.

Richard Bejtlich said...

Apparently that version of Ruby (and it's the latest) has an unfixed security vulnerability. If you still want to install Ruby, override the vuln check with make install -DDISABLE_VULNERABILITIES as explained here.

Anonymous said...

thank you

Anonymous said...

It may be helpful to note that if the bash shell is activated after the chsh statetment, then the PACKAGESITE env var will be gone and the "rehash" command not necessary. I logged out and back in after the "chsh" step and it confused me when I could not rehash. I realized shortly that rehash is probably part of the csh and not needed for bash(?).

Also, I have read articles about updating and rebuilding source after installs. This seems to add a whole lot of complexity compared to a package approach to upgrading/updating. What is your opinion to rebuilding source and kernel after installs (see Dru Lavigne's "Building a Unix Server" (http://www.onlamp.com/pub/a/bsd/2004/08/26/FreeBSD_Basics.html).

This is a good stuff and very helpful to get a noob like me started. Look forward to reading other FreeBSD stuff on the site. Thanks.

Richard Bejtlich said...

Hello,

I use bash only for user shells, not for root's shell. rehash is indeed not needed with bash.

I try to use packages and binary OS updates whenever possible, since my hardware is almost invariable old.

Check out my publications to see my articles on keeping the FreeBSD OS and applications up-to-date.

Alastair said...

> janney:/root# portversion -v -l "<"

I think that should be pkg_version, not portversion.

Alastair said...

Oops sorry, ignore that last comment. You learn something every day.

Anonymous said...
This comment has been removed by a blog administrator.