Chapter 3. Secure Installation and Hardening

So the combination is one, two, three, four, five.
That's the stupidest combination
I've ever heard in my life. That's the kinda
thing an idiot would have on his luggage.

Dark Helmet
Spaceballs

Securing a system doesn't necessarily begin with a running system. Given the option, it's a good idea to start thinking about system security early on: before and during installation. In this chapter, we step through the installation process for both OpenBSD and FreeBSD and address some of the security implications of your early decisions.

If you are not comfortable with the install process for either operating system, now is the perfect time to read the relevant documentation. For FreeBSD, read Chapter 2 of the Handbook. For OpenBSD, see section 4 of the FAQ. If you have not signed up for the FreeBSD and OpenBSD security lists, do so immediately. Links to these lists are available in Section 3.8 at the end of this chapter.

Throughout this chapter we will be following the fundamental security principles laid out in Chapter 1 of this book. Keep in mind that in the context of system security it's not always true that "more is better." The consequences of increased security often include greater administrative overhead in maintenance and installation, more complicated configuration, and a general decrease in flexibility and convenience. Balance the trade-offs appropriately for your environment to arrive at a solution that meets both your usability and security requirements.

This chapter is divided into three sections. The first section, "General Concerns," covers some of the decisions you should make and security issues of which you should be aware before beginning the install. As the name implies, this section is applicable to both FreeBSD and OpenBSD administrators. The second section provides a security-minded installation walkthrough: first for FreeBSD and subsequently for OpenBSD. Feel free to skip the part that doesn't apply to your system and proceed to the last section of the chapter: platform-independent security concerns in Section 3.6.