I've been a FreeBSD fan for years now and I must say I really like this OS. Sadly, most people feel it is way too complicated to be used and recently I was asked to provide a simple walkthrough.
The FreeBSD handbook is a great resource, but some people get easily lost reading it... I'll show in this post the steps necessary to get a Virtual Machine running trying to give just a brief explanation when needed to keep it simple.
At this time, I'm using VirtualBox 4.1.12 (no Extension Pack) and FreeBSD 9.0 (64 bit) but you can use 32 bit as well.
Preliminaries:
1. Create a Virtual Machine for a "BSD" Operating System and the "FreeBSD (64 bit)" Version, I suggest 512MB of RAM memory and a virtual hard drive with 8GB of space (as you might feel a bit tight with the default options).
2. Use the default configuration, you might want to disable audio as it won't be needed.
Installation:
You should have no trouble selecting the options you need and you can select the default if you are not familiar with the dialogs, just change the following:
1. You need to type your hostname in the Set Hostname screen, I suggest "freebsd" but you might want another name for it. If you plan to use this system to host a network service like Kerberos or LDAP you might want to use a full qualified domain name here.
2. Uncheck everything in the Distribution Select screen, we'll deal with that later.
3. Select "<Guided>" in the Partitioning screen, select "<Entire Disk>" in the Partition screen, select "<Finish>" at the Partition Editor screen and select "<Commit>" when the Confirmation dialog shows up. This will create a 64kB partition for boot, a 409 MB for swap and the rest for the file system root "/" using UFS.
4. In the Network Configuration screen, select "<Yes>" for "IPv4", select "<Yes>" for "DHCP", select "<No>" for IPv6 (VirtualBox 4.1.10 has limited support for IPv6) and select "<OK>" in the resolver configuration (your DNS servers should be there already but be sure to type at least one IP address if your fields are blank).
5. Check only "ssh" in the System Configuration screen.
6. Select "<No>" in the Dumpdev Configuration screen.
7. Select "<No>" in the Manual Configuration screen.
Remeber to unmount your virtual CD when the VirtualBox logo appears or it might boot from it again.
Post-Installation:
A minimal system is running, here is what you need to know in order to get started in the FreeBSD world.
Keep your Kernel updated
You probably want to check if there are updates (especially security ones) for your Kernel, use the following command to get the updates available:
freebsd-update fetch
freebsd-update installGet your Ports collection and keep it updated with Portsnap
We need to install the software we are going to use and for that I recommend you to use FreeBSD Ports, you can add binary packages in a similar way to linux using pkg commands but you will likely encounter bugs that are already fixed on the source code.
There is no need to fear the source code, many people I know do not want to compile everything because they are afraid of compilation errors but the FreeBSD Ports do a pretty good job and the only disadvantage is the time needed for the compilation process.
One big plus is, you can look for vulnerabilities reported on the FreeBSD Ports and proactively take action.
Use the root account with the password set during the installation, we don't have sudo installed just yet.
Get the FreeBSD Ports collection and extract it using the following command:
portsnap fetch extract
You'll probably want to keep your FreeBSD Ports up to date, you can use the following command when you want to download and apply the available updates for your collection:
portsnap fetch update
pkg_version -v
Audit your Ports collection with Portaudit
Portaudit checks for known security issues with your installed Ports, alerts if there are vulnerabilities reported in your installations and even prevents the installation of compromised Software. Install it with the following commands:
cd /usr/ports/ports-mgmt/portaudit
make install clean
portaudit -Fda
ee /etc/crontab
# Portaudit
0 3 * * * root /usr/local/sbin/portaudit -Fda
portaudit -a
make -DDISABLE_VULNERABILITIES install clean
Update your installed Ports with Portmanager
Portsnap will help you to keep the source code updated for your Ports but it will not upgrade the installed binaries. Portmanager will help you to install new versions of your Ports when Portsnap updates their source code, install it with the following commands (leave the default options when asked):
cd /usr/ports/ports-mgmt/portmanager
make install clean
portmanager -u
Install and configure sudo:
It is a good idea to use sudo as it will leave a trace of every command used by the administrators for audit purposes, you never know what can hit you and if everyone is using the root account for administration this can lead to serious consequences as the attakers can delete their own traces easily... on the other hand, someone on your staff did something wrong you'll never know who (I've seen around 20 people using the root account for administration on a single system when I've been called to find out what caused the disaster!).
This might not be bulletproof, but it certainly helps to close the gap, install it with the following commands (leave the default options when asked):
cd /usr/ports/security/sudo
make install clean
pw groupadd sudoers
visudo
%sudoers ALL=(ALL) ALL
# visudo, disabling user switching and visudo
Cmnd_Alias NSHELLS = /bin/csh,/bin/tcsh,/bin/sh
Cmnd_Alias NSU = /usr/bin/su
Cmnd_Alias NVISUDO = /usr/local/sbin/visudo
%sudoers ALL=(ALL) ALL, !NSHELLS, !NSU, !NVISUDO
pw usermod johndoe -G sudoers
pw lock root
sudo pw unlock root
At this point you have the base system ready to install the Ports you want, you might want to export the appliance (473MB), clone the Virtual Machine or save a Snapshot.
I hope this will help someone out there, please feel free to send any comments.
No comments:
Post a Comment