Irix Security

Patches
SGI uses a base OS plus overlays patch system. The base OS (currently 6.5) is installed, then upgraded using a set of overlay CDs. These overlays contain all of the accumulated patches created since the release of Irix 6.5. New overlays are released quarterly.

Improve System Security
Buried in the Toolchest, this is a fairly useful GUI. It allows you to require passwords at login, lock non-user accounts such as lp and uucp, disable java scripting, and other such features. The application is the very first option in the System > System Manager > Security and Access Control Menu.

Chkconfig
Chkconfig is one method Irix uses to start daemons automatically. Many of these daemons do not need to be started. To change the status of a daemon, use the following syntax:

chkconfig <daemon> <off|on>

Here is an example of a fairly secure Irix configuration:

• appletalk - off
• array - off
• autoconfig_ipaddress - on
• autofs - on (installs automatic mount points)
• automount - off (automatically mounts NFS filesystems)
• cachefs - on (Cache File System)
• desktop - on (customization panel for setting Desktop resources)
• esp - off (Embedded Support Partner)
• fcagent - off (FibreVault status/config daemon)
• fontserver - off (X font server)
• gated - off (gateway routing daemon)
• ipaliases - off
• lockd - off (NFS lock daemon)
• lp - off (Line Printer daemon)
• mediad - on (removable media daemon)
• named - off (internet domain name server)
• nds - off (network dual-head software daemon)
• network - on (network initialization and shutdown script)
• netwr_client - off
• nfs - off (Network File System)
• noiconlogin - off (select and control console login program)
• nostickytmp - off (control temporary files)
• nsd - on (UNS name service Daemon)
• nss_fasttrack - off
• pmcd - off
• pmie - off
• privileges - off
• proclaim_relayagent - off (used for DHCP)
• proclaim_server - off (used for DHCP)
• proxymngr - off (proxy manager service)
• quickpage - off (SNPP client/server for sending messages to an alphanumeric pager)
• rarpd - off (DARPA Reverse Address Resolution Protocol)
• routed - on (network RIP and router discovery routing daemon)
• rsvpd - off (Resource ReSerVations Protocol daemon)
• rtmond - on (system event monitoring daemon)
• rwhod - off (system status server)
• sar - off (system activity reporter)
• savecore - on (save a crash vmcore dump of the operating system)
• sdpd - off (Session Directory server daemon)
• sendmail - off (email transport agent)
• sendmail_cf - off
• sesdaemon - off (Fibre Channel drive enclosure status/config daemon)
• sgi_apache - off (web server)
• snetd - off (DPLI network daemon)
• soundscheme - on (audio cue server)
• sysevent - on (System Log Event capture system daemon)
• timed - off (time daemon server)
• timeslave - off ('slave' local clock to a better one)
• ts - off (tape support configuration file)
• verbose - on (log verbosely)
• visuallogin - off (select and control console login program)
• vswap - off
• webface - off (SGI web server)
• webface_apache - off
• windowsystem - on
• xdm - on (X Display Manager with support for XDMCP, host chooser)
• yp - off (Network Information Services Protocol client)
• ypmaster - off
• ypserv - off (Network Information Services Protocol server)

Cripple inetd
As always, turn off anything you don't need in /etc/inetd.conf. For the most basic desktop use, the only entry in inetd.conf that can't be commented out is sgi-fam.

Trim rc Scripts
After you've gone through chkconfig and inetd.conf, go through /etc/rc2.d and prune any scripts that start unneeded daemons. A very practical way to do this is simply to rename unneeded scripts with a lower-case s, enabling you to see that the script is disabled, but keep the script in its default location if you find you need it later. For example, changing

S60lp

to

s60lp

would keep lpd from starting at boot time.

Syslog
By default, syslog can grow to fill root very easily. Go to the System > System Manager > System Performance > Set System Log Options in the Toolchest and change the default log rotation to a size more compatible with your system.

Encaps
Encaps are free, pre-compiled software packages maintained by WSG. There is no reason you can't compile your own software if you wish, but using Encaps can greatly increase efficiency. Your needs may vary, but WSG recommends the following encaps:

• epkg: Encap package manager. Necessary to install Encaps.
• gzip: GNU zip. A commonly used compression tool.
• OpenSSH: Secure Shell. Creates an encrypted connection between computers.
• rpcbind: Controls remote services. Unlike vendor rpcbind, the Encap version can be wrappered.
• tcp-wrappers: Used to restrict access and log connections to a machine.
• zlib: Compression libraries needed by gzip

Voodoo Magic
This is not strictly a security tip, but it is occasionally useful to boot from CD to check a disk or change partition information. The syntax is easy to forget.

When working on any UNIX based system, be sure to check the following:

• Patching is your first line of defence. Start by installing any patches that your vendor may have. For Solaris and AIX, WSG provides superglue.
• Only essential services should be started out of inetd.conf. This should be determined on a per-machine basis, but a good rule of thumb is to turn off anything you can and run everything else through tcp wrappers.
• OpenSSH should be installed to replace telnet and older versions of SSH as the preferred means of remote access.
• Sendmail can, and should be turned off if there is no need for it on a particular system.
• Avoid using the root account when you don't have to.
• SuperUser accounts should be created for everyone who needs to operate as root. The permissions are the same, but SU accounts create an extra record of who did what.
• Netstat is a useful tool in checking for unwanted daemons. Look mainly at the tcp and udp lines.