Securing IRIX 6.5.x

Editor's Note: See the end of this for a list of papers that have been composited to form this.

My goal with this paper is to present a "how-to" for securing IRIX in a production environment while still maintaining sufficient functionality.

Securing System Accounts

IRIX by default is installed with several accounts without passwords. You can view what passwords have no password (NP), are locked (LK), or password protected (PS) with the command: 

# passwd -as

Your first step should be adding a password for root, followed by locking all accounts without passwords: 
# passwd

# foreach account (lp EZsetup nuucp demos guest OutOfBox \ 
sys adm sysadm cmwlogin auditor dbadmin sgiweb 4Dgifts)
? passwd -l $account
? end

Next, turn on shadow passwords: 
# pwconv

Configure default rules for passwords and logins

To set up rules for passwords, create the file /etc/default/passwd if it does not already exist, and tweak the following settings as desired (example follows): 

PASSLENGTH=10
MINWEEKS=1
MAXWEEKS=12
HISTORYCNT=100
HISTORYDAYS=30
WARNWEEKS=1

Next, edit the file /etc/default/login - this controls login behaviour. The following are suggested options. Be sure to uncomment any relevant lines. 
CONSOLE=/dev/console
PASSREQ=YES
ALTSHELL=YES
MANDPASS=YES
UMASK=027
TIMEOUT=60
DISABLETIME=300
MAXTRYS=3
LOGFAILURES=4
IDLEWEEKS=2
PATH=/usr/sbin:/usr/bsd:/sbin:/usr/bin:/bin:/usr/bin/X11:
SUPATH=/usr/sbin:/usr/bsd:/sbin:/usr/bin:/bin:/etc:/usr/etc:/usr/bin/X11:
SYSLOG=ALL
INITGROUPS=YES
LANG=C
SVR4_SIGNALS=NO
LOCKOUT=4
LOCKOUTEXEMPT=root

IMPORTANT: If PAM is enabled, PASSREQ, MANDPASS, and IDLEWEEKS are not supported. The original author also chose to exempt root from lockout, this does leave a potential vulnerability in place. Customize the CONSOLE variable based on your default connection, change it to /dev/ttyd1 if you're running a headless machine, for instance.
Next, chmod both so that only root can read them: 
# chmod 400 /etc/default/{login,passwd}

Disabling and Tightening Vulnerable Network Services

Many services can be turned off, or tightened up to improve security. The same basic rule applies: "If you don't need it, turn it off."
SGI by default enables two apache services. These provide interfaces to system modules from the web. Turn them off using chkconfig: 

# chkconfig webface_apache off
# chkconfig sgi_apache off

To ensure that edits can be reverted if needed, back up config files in a separate directory and copy the originals: 
# mkdir -p /usr/share/etc.defaults
# cp -p /etc/inetd.conf /usr/share/etc.defaults/inetd.conf
# cp -p /etc/ntp.conf /usr/share/etc.defaults/ntp.conf

It's good practice to backup all config files to a universal directory so you can revert them easily. Next on our list, open inetd.conf and turn off everything you are not using by deleting the lines. A list of suggestions is below: 
finger
bootp
tftp
echo
telnet
ftp
discard
chargen
daytime
time
rstatd
walld
rusersd
rquotad
sprayd
ttdbserverd
shell
exec
http
wn-http
ntalk
mountd
sgi_mountd
rexd
bootparam
ypupdated
sgi_videod
sgi_toolkitbus
sgi_snoopd
sgi_pcsd
sgi_pod
sgi_espd
sgi-esphttp
tcpmux/sgi_scanner

Other network services can be turned off from chkconfig using the same syntax as ablve "chkconfig off": 
timed
timeslave
routed
esp
privileges
appletalk
array
autoconfig_ipaddress
autofs
automount
fcagent
fontserver
gated
ipaliases
yp
ypmaster
ypserv
mrouted
named
nfs
netwr_client
nostickytmp
ns_admin
nss_fasttrack
pmcd
pmie
proclaim_relayagent
proclaim_server
proxymgr
quickpage
rarpd
rsvpd
rwhod
sdpd
sendmail
sendmail_cf
snetd
ts
vswap
webface

Here's some services you definitely want to remain ON if you're running a desktop: 
desktop
lockd
mediad
network
noiconlogin
nsd
rtmond
savecore
sar
verbose
visuallogin
windowsystem
xdm

Securing XSGI

X should be secured to only allow authorized users for remote display. Edit /var/X11/xdm/xdm-config and change the DisplayManager*authorize line to read: 

 DisplayManager*authorize: on

This tightens the X server's access control.

Tuning the Kernel

By default IRIX enables a number of kernel-related services which should be turned off for security reasons: 

# printf 'y' | systune ipforwarding 0
# printf 'y' | systune ip6forwarding 0
# printf 'y' | systune icmp_dropredirects 1
# printf 'y' | systune tcp_2msl 60
# printf 'y' | systune allow_brdaddr_srcaddr 0
# printf 'y' | systune tcpiss_md5 1
# printf 'y' | systune restricted_chown 1

To verify these took effect, double check for /unix.install in the root. If it does not exist, you need to run: 
 autoconfig -vf

Now, reboot for these to take effect.

Conclusions

This is not an exhaustive list of all security holes in IRIX, but is a set of best practices that have been published, and now composited here.

Citations