on Mon, Feb 25, 2002 at 01:14:53PM +0000, Chris Wareham wrote:
> I have disabled inetd in my rc.conf, and the only things I have enabled 
> are ipnat, ipf and sshd. Now I want to remove all redundant users and 
> groups which are created by a default install. I have removed operator, 
> games, falken, ingres, and I am wondering which others are safe to 
> remove. I installed all the packages apart from the games one, as the 
> machine has to run as a basic workstation as well as a firewall. Not an 
> ideal combination, but it's the only machine I have which will connect 
> to a USB modem.

A list of the things I tend to do when hardening netbsd are at the end of
this mail:
http://mail-index.netbsd.org/tech-security/2002/02/03/0003.html

I'm working on something that automagically does the permission
changing flexibly. I'm currently testing and using it with netbsd 1.5.2
and 1.5.3_ALPHA on some i386 and sparc boxes, it's not finished, but might
be of interest. http://www.kittenz.org/xs/stuff/nbsec.tar.gz
"fixup" is the script to look at.

A similar script is at http://www.htcon.pl/~wojboj/securesystem
and is by Wojciech Bojdol.

> My other query is about some of the directories and a file created by 
> the default install. Why is there a .cshrc in the root directory? Is 
> this for emergency logins where roots home directory might be on another 
> (unmounted) partition?

<possibly very wrong>
Or maybe when /etc/passwd (and friends) are not accessible/used.

> Finally, what are the stand and altroot 
> directories for?

I think /altroot is for an alternative root hierarchy for recovery
situations. No idea about /stand.

</possibly very wrong>