Securing IRIX (Inspired by Securing Solaris)
pen7cmc
Fri Jan 5 16:40:05 EST 2007

What follows should only be regarded as a guide to starting to secure your system. You should skip down to Upgrade everything if you don't care about what IRIX runs on what system, or already know.

1. The IRIX operating system.

IRIX is a variant of UNIX that runs on Silicon Graphics (SGI) machines that use CPUs from MIPS Technologies and PMC-Sierra.

Most IRIX versions currently in use consist are subsets of three major releases: IRIX 4, 5 and 6. IRIX 4 is so old--4.0.5J was released in 1993--that it will not be covered here. To determine the varieties of IRIX that can run on your system, see the IRIX/CPU table below. Use 

prompt% hinv | more
to determine the type(s) of processor(s) your system has.

CPU      Oldest usable IRIX       Newest usable IRIX
------   ----------------------   ----------------------------
R3x00    2                        5.3
R4x00    4.0.5?                   6.5.x, except on the Crimson
R5x00    5.3XFS with R5000        6.5.x
R8000    6.0                      6.5.x
R10000   6.2                      6.5.x
R12000   6.5.3                    6.5.x
R14000   6.5.11+patch 4226/4227   6.5.x
6.5.x indicates that the processor is supported with the most recent release of IRIX 6.5, which as of March 2006 is 6.5.28.

Note that not all versions of IRIX support each CPU equally. For example, a 300MHz R12000 on an Origin requires IRIX 6.5.3 or higher, but a 270 MHz R12000 on an Octane requires 6.5.4 or higher. Also, an Origin with R10000 CPUs won't run IRIX 6.2 at all, it requires IRIX 6.4 or higher. See the information below the editorial comment to determine which varieties of IRIX will work on your particular platform, or just install the latest release of IRIX 6.5.x. It will run on every system with a R4000 or higher CPU, except for the Crimson (End Of Life announced 11/97) which still requires IRIX 5.3 or 6.2.

EDITORIAL COMMENT: Seriously now, there's no reason not to install the latest version of IRIX. No one should be running any release of IRIX that is earlier than IRIX 6.5.10 unless they also have Patch 4354 "Fix for telnetd security bug 830781 - root exploit" for IRIX 6.5.x, or Patch 4050 "Networking Commands #8" for IRIX 6.2, installed. These patches are not required on IRIX 6.5.10 and higher. Install IRIX 6.5.10 or higher if you can, otherwise install Patch 4050 or 4354 (or their successors) from http://support.sgi.com/ or ftp://patches.sgi.com. Of course there's always Patch 4193 "Named security fix for 6.5.x" where x<=11, which fixes a BIND vulnerabilty, and Patch 4354 (telnetd security bug), Patch 4382 (netprint vulnerability), Patch 4383 (nedit 5.1.1 security) and Patch 4470 (shell security fixes) that are worth installing as well for systems running 6.5.13 or earlier. There are so many patches and manual changing of files you have to do to keep the older versions secure that it will take you less time to upgrade to the latest IRIX than it will take to fix the older versions. I just upgraded a box from 6.5.6m (November 1999) to 6.5.16m (May 2002) and it went fine, just like all the other 6.5.x upgrades I've done. So go to SupportFolio and grab the latest version of IRIX!

  • IRIX 5.x (the most recent release was "IRIX 5.3XFS for Indy, Including R5000" on 05/96) is for Challenge, Crimson GT or GTX, Indigo, Indigo2, Indy, Onyx, Personal IRIS, and Power Series systems with MIPS R3x00, R4x00 and R5000 CPUs. This OS is no longer supported, the Required/Recommended patch set was last updated 9/98.

  • IRIX 6.0 (for R8000 systems only, released 08/94), 6.0.1 (03/95) and 6.1 (07/95) are unsupported and not Y2k compliant. All were replaced by IRIX 6.2.

  • IRIX 6.2 (the most recent release was "IRIX 6.2 with Indigo2 IMPACT 10000" on 06/96) is for Challenge, non-GT or GTX Crimsons, Onyx, Indy, Indigo and Indigo2 systems with MIPS R4x00, R5000, R8000 or R10000 CPUs.

  • "IRIX 6.3 for O2, including R10000" (released 11/96) is only for the SGI O2, running either R5000 or R10000 CPUs. "uname -R" returns "6.3 O2 R10000." No one should still be running the earlier IRIX 6.3 that doesn't return the R10000 string, even if they're using a R5000 CPU. This was an early release that was replaced after two months.

  • "IRIX 6.4 for Origin, Onyx2 and Octane" (released 02/97), also called IRIX 6.4.1, is for Octane, Onyx2, Origin 200 and Origin 2x00 systems with R10000 CPUs. "uname -R" returns "6.4 S2MP+OCTANE." No one should be running the earlier release of IRIX 6.4 that only returns "6.4."

  • IRIX 6.5 (released 06/98), as of 06/01, replaces all other IRIX releases and is available for the Indigo R4k, Indy R4k and R5k, and every type of Challenge DM/GR/L/M/S/XL, Indigo2, O2, Octane, Octane2, Onyx, Onyx2, Onyx 3x00, Origin 200, Origin 2x00, Origin 3x0, and Origin 3x00, up to 6.5.22. After that, support for the legacy Challenge, Indigo, Indigo2, Indy, Onyx and Power Challenge/Indigo2/Onyx platforms were dropped. Bummer

  • Trusted IRIX is an addition to several varieties of IRIX, going as far back as IRIX 4, that meets the U.S. government's B1 requirements. This is an additional CD ("Trusted IRIX/CMW 6.5.x Overlays" at the moment) that must be purchased separately.

    • 2.Upgrade everything (Patches, Releases, and Overlays)

    Install the latest release of IRIX available for your system, and all the applicable patchs or overlays. Realize that versions of IRIX below 6.5 are no longer fully supported, so new security patches may not be made available for them. Therefore, you should install the latest release of 6.5.x if at all possible.

    Before IRIX 6.5, SGI used patch sets. These patch sets and the individual patches contained within them can be downloaded from http://support.sgi.com/ and ftp://patches.sgi.com. If you have a support contract that includes software support, and if SGI still has some CDs sitting around, and if SGI hasn't dropped support for the OS yet, you can have CD-ROMs containing the appropriate patch set mailed to you if you call 1-800-800-4SGI or use the support web page to request a copy.

    With IRIX 6.5, SGI uses what are called "releases" or "overlays." IRIX overlays consist of all the changes to IRIX since 6.5 was released, and are numbered 6.5.1, 6.5.2, 6.5.3, etc. Overlays are available on the web from the links above, or on CD-ROM. An original IRIX 6.5 CD-ROM set contained:

    IRIX 6.5 Installation Tools June 1998
IRIX 6.5 Foundation-1
IRIX 6.5 Foundation-2
IRIX 6.5 Applications June 1998
    The Installation Tools and Applications CD-ROMs are constantly updated, 
    IRIX 6.5.30 Installation Tools and Overlays (1 of 4) August 2006
IRIX 6.5.30 Overlays (2 of 4) August 2006
IRIX 6.5.30 Overlays (3 of 4) August 2006
IRIX 6.5.30 Overlays (4 of 4) August 2006
IRIX 6.5 Foundation-1
IRIX 6.5 Foundation-2
IRIX 6.5 Applications August 2006
    would be the CD-ROMs required for installing 6.5.30. Every three months a new overlay of IRIX 6.5 is released and, as you can see above, in August 2006 this brought 6.5 up to IRIX 6.5.30. Because each overlay has all the changes from the original IRIX 6.5 release, IRIX 6.5.30, for example, can be installed on top of any older version of IRIX 6.5.x without having to install all the other overlays released between the two. Think of an overlay/release as one really big patch, that happens to be updated every three months.

    IRIX overlays come in two variants, the maintenance stream and the feature stream (e.g. uname -R returns "6.5 6.5.30m" or "6.5 6.5.30f"). The maintenance stream contains bug fixes and basic support for new hardware, and the feature steam contains new software features as well. When installing 6.5.x it will ask you which stream you want to be on, and you can swap between them if you desire. Picking and staying with feature is nice because then you receive all the updates of each new 6.5.x.

    The Applications CD-ROM that comes with each new IRIX 6.5.x overlay contains new versions of Java, Netscape, etc. You do not need this CD-ROM to upgrade the IRIX OS itself, it is only for some of the applications that come with bundled with IRIX. Since these programs have security flaws in them that are fixed over time as well (Netscape, ...), you should also upgrade the bundled applications when you upgrade the OS.

    Occasionally SGI will release a patch for IRIX 6.5.x. Many times these patches are worked into the next release of IRIX 6.5.x, such as security Patch 4354 for IRIX 6.5.13 and earlier being worked into IRIX 6.5.16 and higher. Other patches or application program maintenance releases, very software- or hardware-specific ones usually (FailSafe, MPT, the compilers, etc.) may never be worked into IRIX 6.5.x. The only way to check to see if your software/hardware has a specific patch or maintenance release for it is to go to the support web page or call the 1-800 number.

    prompt% cc -version
MIPSpro Compilers: Version 7.4
    on my machine indicates that the 7.4 compiler release has been installed. I also could have discovered the version of the C compiler I have on my machine with 
    prompt% versions -b c_fe
I = Installed, R = Removed

   Name                 Date        Description
I  c_fe                 02/22/2003  C Front-end, 7.4
    To learn the versions of all the inst-able software you have on your machine, use 
    prompt% uname -R      (or uname -r for pre-6.3 IRIX)
prompt% versions -b
    If you have Samba installed, upgrade to the most recent release. Version 2.0.7 has a security flaw which is fixed in 2.0.9 (not 2.0.8) and higher. For that matter, you should consider upgrading (or deleting) all the other third-party software on your system as well.

    3. Turn everything you don't need off

    a. Convert to shadowed passwords. 

    prompt# pwconv
    to shadow the password file. Then, create passwords on all the account or lock them closed. IRIX ships with guest, lp, root, and several other accounts unprotected. Edit the /etc/shadow file to fix this, changing 
    guest::11281::::::
    to 
    guest:*:11281::::::
    and similar for all the other open accounts. Once you convert to shadow passwords, edit /etc/passwd.sgi or /var/sysadm/config/clogin.conf (the latter being for newer IRIX versions) and add the names of accounts you don't want to show up on the login screen. Adding 
    EZsetup:noshow
demos:noshow
OutOfBox:noshow
guest:noshow
4Dgifts:noshow
    to the bottom of the file will prevent those accounts from being shown. There are some other variables in the file you may wish to change as well, see the documentation included in the file.

    b. Remove all the software not being used, with swmgr or the versions remove command option. Popular programs to remove are: 

    prompt# versions remove accessx
prompt# versions remove appletalk
prompt# versions remove arraysvcs
prompt# versions remove demos
prompt# versions remove InPerson
prompt# versions remove nss_fasttrack
prompt# versions remove outbox
prompt# versions remove PeoplePages
prompt# versions remove Register
prompt# versions remove sgi_apache
    c. Turn off as much as possible in /etc/inetd.conf by commenting out lines. Popular choices to comment out are finger, http, wn-http, bootp, daytime, time, daytime, time, uucp, walld/1, rusersd/1, rquotad/1, sprayd/1, bootparam/1, ypupdated/1, rexd/1, sgi_videod/1, sgi_toolkitbus/1, sgi_snoopd/1, sgi_pcsd/1, sgi_pod/1, and ttdbserverd/1.

    There's also a school of thought that says "comment out everything one at a time in this file until something breaks, and then uncomment only that which just broke something you need." This way you are certain that you only have turned on the absolute minimum that you need to have turned on. Also note that if you comment the ftp and telnet lines, you can still telnet and ftp out of your system--but people can't ftp or telnet in. Very useful.

    The bottom half of this handy page tells how to add options to rlogind, fingerd, etc. to increase logging and security. It also has several other security recommendations and it is definitely worth reading.

    d. chkconfig everything possible off. Many of the programs in the /etc/rc*.d directories check the status of a chkconfig variable to see if they should start up or not when the system boots. Each system will have a different list of chkconfigable variables depending on what software is installed on it. Try: 

    prompt# chkconfig array                off
prompt# chkconfig autoconfig_ipaddress off
prompt# chkconfig autofs               off
prompt# chkconfig cesag                off
prompt# chkconfig fcagent              off
prompt# chkconfig fontserver           off
prompt# chkconfig gated                off
prompt# chkconfig ipaliases            off
prompt# chkconfig lp                   off
prompt# chkconfig mrouted              off
prompt# chkconfig named                off
prompt# chkconfig nds                  off
prompt# chkconfig networker            off
prompt# chkconfig netwr_client         off
prompt# chkconfig nfs                  off
prompt# chkconfig ns_admin             off
prompt# chkconfig nss_fasttrack        off
prompt# chkconfig privileges           off
prompt# chkconfig proclaim_relayagent  off
prompt# chkconfig proclaim_server      off
prompt# chkconfig proxymngr            off
prompt# chkconfig quickpage            off
prompt# chkconfig rarpd                off
prompt# chkconfig routed               off
prompt# chkconfig rsvpd                off
prompt# chkconfig rwhod                off
prompt# chkconfig sendmail             off
prompt# chkconfig sendmail_cf          off
prompt# chkconfig sesdaemon            off
prompt# chkconfig sgi_apache           off
prompt# chkconfig soundscheme          off
prompt# chkconfig tfxd                 off
prompt# chkconfig timed                off
prompt# chkconfig timeslave            off
prompt# chkconfig ts                   off
prompt# chkconfig vswap                off
prompt# chkconfig yp                   off
prompt# chkconfig ypmaster             off
prompt# chkconfig ypserv               off
    You can view the status of every chkconfigable option on a given system with chkconfig -s. You may have to turn on things such as named, routed, etc. depending on your networking setup. Again, this might be a good place to turn everything off one at a time until something you need breaks. Note that every time you install or upgrade software this list may change, so be sure to check it after every install or upgrade. You'll definitely want to 
    prompt# chkconfig verbose on

    e. If you only want root access from the console, modify 

    # If defined, only allows root logins on the device specified.
# MUST NOT be defined as either "/dev/syscon" or "/dev/systty"!
##CONSOLE=/dev/console
    in /etc/default/login. There are other variables in this file you may wish to change as well.

    f. You can prevent people from changing the non-volatile RAM setting in PROM during boot by stopping the boot with <ESC>, going into the Enter Command Monitor option, and setting a password with passwd.

    g. Check /etc/hosts.equiv and do a 

    prompt# find / -name '.rhosts' -print
    and delete/modify the .rhosts files as needed.

    h. Also with IRIX 6.5.x, 

    prompt% man capability
prompt% man capabilities
    and modify the /etc/capability file accordingly.

    i. If using IRIX 6.5.x, go the to Toolchest and select System, then System Manager, then Improve System Security, and complete the tasks in that group.

    5. Logging

    The Embedded Support Partner (ESP) is available on more recent versions of IRIX 6.5 (IRIX 6.5.5-6.5.10 has ESP 1.0, IRIX 6.5.11 and higher has ESP 2.0). Enable it with 

    prompt# chkconfig esp on
    and read the man page 
    prompt% man esp
    and set aside a few days to learn and configure it. Also 
    prompt% cat /etc/syslog.conf
prompt% man syslog
    to learn how to control logging in /var/adm/SYSLOG.

    6. SSH/TCP wrappers

    OpenSSH (secure shell) and TCP wrapper programs can be downloaded, already compiled, from http://freeware.sgi.com/ and Nekochan's Foetz or plain-old Nekochan. Use them. OpenSSH uses the ssh program to replace rlogin and telnet, and scp replaces rcp, and sftp replaces ftp. OpenSSH encrypts the traffic going and coming to your computer, which makes attacking it somewhat harder. TCP wrappers monitor incoming requests for finger, talk, and other programs, and logs the information. They can also be used to protect you in other ways, see the notes on the Freeware page. Other Freeware packages of note are One-time Passwords In Everything (opie), S/key, SuperUser DO (sudo), and x11-ssh-askpass.

    7. Reboot

    Now reboot your system and try to telnet, ftp, HTTP, etc. into it and see if it disallows everything you want it to disallow. Check everything yourself.

    When everything is finished, back up your system disk. The fastest way to do this is buy another disk. Clone your system disk, then remove the clone disk and store it somewhere safe. If you system disk crashes, or your system is hacked, all you have to do is power off, insert the clone disk, and turn the system back on. Then you can have a working system in seconds, and a hacked disk you can examine at your leisure. Some places run a weekly cron job to back up their system disk to a clone disk left in the machine, that way they always have a recent copy of their system disk. The best of both worlds would be to have one disk in a safe place and one disk being updated weekly. Tape backups are also a good idea, but significantly slower.

    8. Stay up to date

    Read the comp.sys.sgi.* news groups and the SGI security web page regularly, install the latest 6.5.x overlay every three months, read all the security/hacking web pages you can find, read lots of books, read your log files for break-ins, or try to break-in yourself... 1