Ruby can be installed through Ports in the /usr/ports/lang/ruby directory, with other Ruby-related software being in /usr/ports/devel and /usr/ports/www/ with a ruby- prefix. If you're looking for Ruby on Rails, you can find it in /usr/ports/www/ruby- rails. 8.5. Python Python 2.3 and 2.4 are available through Ports in the /usr/ports/lang/python directory. Extra Python modules and other Python-related software can generally be found in the /usr/ports/devel directory with a py- prefix. Some Apache-specific Python software can be found in the /usr/ports/www directory. Chapter 9. Automation and Reporting Since "The OpenBSD Crash Course" is not a guide to the Unix/BSD/GNU command-line environment, the exact usage of the system logger and the cron daemon will not be covered here. The sections below cover how to use them on OpenBSD, but if you want a full explanation of what they are and what they do, you'll have to look up their manpages. 9.1. The Cron Daemon OpenBSD's automatic script execution utility is Vixie-cron, and like most cron implementations on other Unix-like operating systems, OpenBSD's cron table can be edited with the crontab -e command. The default editor for this function is vi. If you run crontab right now as the root user, you'll notice that it's already got a page or so worth of entries. Most of these are necessary for regular OpenBSD maintenance, though you can certainly adjust them if needed. Each user has his own private cron table, but if you want to restrict this privilege to only certain users, you can do so with the /var/cron/cron.allow and/or the /var/cron/cron.deny config files. You may want to take a look around /var/cron to see some of the other files there as well. OpenBSD's cron can perform commands or scripts in two time-interval formats: the traditional five-number time format (Mins Hours Days Months Day of the week) and simpler word formats: @monthly @weekly @daily @hourly Hourly is at the top of the hour, daily tasks are performed at midnight, weekly is Sunday, and monthly is on the first of every month. The OpenBSD standard cron scripts are /etc/daily, /etc/weekly, and /etc/monthly, all of which have default entries in root's crontab. 9.2. Insecurity Reports At some point in the future, you may notice that the root account gets two daily email messages from the system. These are regulated by the /etc/daily script and run via cron early in the morning. One email is the daily output report, and it tells you how much traffic your network devices handled and the state of your disk partitions and filesystems. It's helpful to keep an eye on these things to make sure that you don't run out of disk space and that there are no software problems (which can cause unusually high or low network bandwidth numbers). The second email is the daily security audit, and it checks file permissions in the base system to make sure that files which should not be executable are not, and that configuration files that should not be world-readable are protected. Some files may actually show a diff of the changes in certain files like /etc/resolv.conf. 9.3. Syslog There's nothing fancy about OpenBSD's system logger: it's the plain old syslog that you know and love. It outputs to /var/log/messages unless specifically split into separate files via the /etc/syslog.conf file. By default the system log output is distributed to several topic-specific files in /var. You may want to look this config file over to make sure it's reporting to your preferences. Chapter 10. Keeping OpenBSD Up-to-Date While OpenBSD may have had only one remote security hole in the default install in more than 10 years, the stats are a little different for nondefault installs. The more services you enable and the more programs you install, the more you have to worry about applying security patches. The below subsections will tell you how to keep your operating environment up-to-date with the latest security patches. No matter what operating system you use, securing it is a process, not an event. Most of the below processes should be made into scripts and automated through cron, or manually performed on a regular (probably weekly or monthly) basis. 10.1. Staying Up-to-Date with Ports and Packages If you followed the earlier directions for setting the PKG_PATH and FETCH_PACKAGES variables, all you have to do to update your packages is run this command: pkg_add -ui If you have programs compiled through Ports, you'll have to update the Ports tree in accordance with the -STABLE branch (also known as the "patch branch") to get updated security patches. With the sole exception of OpenSSH, new versions of programs are never made available through the patch branch; all you get are patches for security holes. If you want newer versions, you have to run - CURRENT (the active development branch of OpenBSD) or wait a few months for the next official release. If you run a -CURRENT Ports tree, you must run a - CURRENT source tree as well. The -CURRENT branch is meant for OpenBSD developers and people who like to work with rapidly changing and possibly experimental software; do not use it in a production environment. Here's how to switch Ports from the -RELEASE to the -STABLE branch to keep everything secure and up-to-date: 1. You start by updating the Ports infrastructure so that it includes post-release patches. To do this, you need to know an anonymous OpenBSD CVS server address. There is a complete and current list of OpenBSD 4.0 AnonCVS servers on this site: http://www.openbsd.org/anoncvs.html#CVSROOT. 2. Make that CVS server the default for your system by editing the ~/.profile config file and adding this line somewhere (substitute your chosen AnonCVS mirror for the one in the example): 3. export CVSROOT=anoncvs@anoncvs1.usa.openbsd.org:/cvs 4. The above setting will not take effect until you log out and log back in, so make it valid for the current session by typing the same line above into a root terminal (again, substitute your chosen mirror): 5. export CVSROOT=anoncvs@anoncvs1.usa.openbsd.org:/cvs 6. Now you're ready to update the Ports tree. Change to its directory: 7. cd /usr/ports 8. Next, fetch the updated code: 9. cvs -q up -r OPENBSD_4_0 -Pd 10. Now recompile or refetch updated packages: 11. make update Once it's done compiling, your Ports tree will be up-to-date. You should probably also switch your base system to the patch branch as well. Go on to the next subsection to learn how to do that. One last note: The preceding change to the ~/.profile configuration file will work only for the current user, which is assumed to be root. If you are using the su command to switch to root permissions from an unprivileged user account, you will have to make this change to that user's ~/.profile as well. 10.2. Switching to the OpenBSD 4.0-STABLE Branch Switching to the -STABLE edition of OpenBSD 4.0 means that you will have to recompile the base system from source code. This will take up a significant amount of space in /usr/src, and it will take anywhere from a half-hour to several hours to perform the recompile. In other words, this is not a trivial process, and on a production server should be scheduled for off-peak hours. Let's get started: 1. The first thing you have to do to switch to the patch branch is to download the updated source code for your system. If you do not currently have the OpenBSD source code installed in /usr/src, it will be easier to download the source tarball from an OpenBSD FTP mirror or disc 3 of the official CD set than it will be to download everything from the AnonCVS server. The file is called src.tar.gz, and you want to unpack it to the /usr/src directory. There are instructions for doing this earlier in "The OpenBSD Crash Course." 2. Next you need to update the source code to include post-release patches. To do that, you need to know an anonymous OpenBSD CVS server address. There is a complete and current list of OpenBSD 4.0 AnonCVS servers on this site: http://www.openbsd.org/anoncvs.html#CVSROOT 3. Make that CVS server the default for your system by editing the ~/.profile config file as instructed in the previous section. 4. The above step will not take effect until you log out and log back in, so make it valid for the current session by typing in the same line above into a root terminal (again, substitute your chosen mirror): 5. export CVSROOT=anoncvs@anoncvs1.usa.openbsd.org:/cvs 6. Now you need to get into the proper directory: 7. cd /usr 8. Then you need to use CVS to fetch the -STABLE source code: 9. cvs checkout -P -rOPENBSD_4_0 src 10. Once the code is done downloading, it's time to compile it. You're going to start with the kernel, then reboot into the new kernel, then recompile the rest of the base system (sometimes referred to as the "userland") and then reboot one last time. Start with rebuilding the kernel. Change to the kernel configuration directory (replace i386 with amd64 if that's your architecture): . report, and it tells you how much traffic your network devices handled and the state of your disk partitions and filesystems. It's helpful to keep an eye on these things to make sure that