I did a couple of fresh installs the other day, which reminded me of a
minor irritation and prompted me to think about a possible solution.
The first run of security(8) on a fresh install is not terribly helpful.
It produces a huge email report since it diffs all the /etc/changelist
files against /dev/null. If you're already familiar with OpenBSD and
understand this behavior, you probably disregard this email and drive on.
If you're a new user, this is probably surprising and somewhat misleading.
After all, you've just installed an operating system that takes
justifiable pride in sane, secure defaults, and the next morning you
receive a multi-thousand-line insecurity report that calls out every
important configuration file on the system.
I think the simplest way to prevent this would be for install.sub to add a
line to /etc/rc.firsttime that runs security(8) and discards the output,
or perhaps logs it to a file, rather than emailing it. This would "prime
the pump" by populating /var/backups with as-installed copies of the
changelist files, and then the first nightly run of security(8) would only
show files that have actually been changed post-install.
Of course, this also means you have virgin copies of your config files
stashed away immediately, in case you need one before the nightly
security(8) run can back them up for you.
This will make the first boot take longer, perhaps by several minutes on
slower platforms. Of course, the first boot is already slower due to key
generation, etc.
Diff below was tested in an amd64 bsd.rd and seems to behave as expected.
I have *not* built a full release or tested every possible use case; I
know there are sometimes issues with space on some install media, and
hopefully this small addition would not cause an overflow.
Does anyone see value in this? If not, I suppose it might end up living in
my install.site.
Index: install.sub
===================================================================
RCS file: /cvs/src/distrib/miniroot/install.sub,v
retrieving revision 1.1031
diff -u -p -r1.1031 install.sub
--- install.sub 28 Jul 2017 18:15:44 -0000 1.1031
+++ install.sub 29 Jul 2017 21:03:03 -0000
@@ -2976,6 +2976,9 @@ do_install() {
print -r -- "$_rootkey" >>/mnt/root/.ssh/authorized_keys
)
+ # Run security(8) on first boot to populate /var/backups
+ echo "/usr/libexec/security > /dev/null" >> /mnt/etc/rc.firsttime
+
# Perform final steps common to both an install and an upgrade.
finish_up
}
