PSS-UNIX -- SGI Security Details

PSS-UNIX's SGI Security Details

This page provides details about SGI Irix security precautions. There is also a shorter page in "checklist" format.

If you have just installed Irix, you should also examine PSS-UNIX's SGI Post-install page.

Check for and lock unpassworded acccounts. On a new SGI system, none of the administrative and maintenance logins have passwords. This means that anyone can telnet or walk up to your system and login as those users without having to type a password. To see which accounts are unlocked, type the following on the command line:
```
 
	grep '::' /etc/passwd
	
```
You should get a listing of lines similar to the following (but there will be more lines listed):
```
	uucp::3:5:UUCP Owner:/usr/lib/uucp:/bin/csh
	lp::9:9:Print Spooler Owner:/var/spool/lp:/bin/sh
	guest::998:998:Guest User:/usr/people/guest:/bin/csh
	
```
If an entry has the first two colons next to each other without anything between them, that account has no passwords. For every entry like that, you need to enter the following command, with username being the first field on the line. For example, to lock the accounts above, type:
```
	passwd -l uucp
	passwd -l lp
	passwd -l guest
	
```
Enable shadow passwords. This places the encrypted password strings in a file readable only by root, preventing someone from copying the /etc/passwd file and running it through a cracking program.
As root, run /sbin/pwconv which initializes shadow passwords, and synchronizes /etc/passwd and /etc/shadow.
NOTE: For Irix versions 5.3, 6.2, 6.3, and 6.4, you cannot use shadow passwords AND use NIS password serving together.
Security patches should be applied and logged as soon as available. Every vendor, including SGI, releases patches to fix security holes. Since these holes are often widely known, you can prevent many intrusions by staying current on patches.
SGI has email services to notify you when new patches are available. You'll need a (free) subscription to SupportFolio.
- support.sgi.com/surfzone/member/cgi-bin/subscribe.cgi -- notification of recommended patches
- Wiretap -- security mailing list.
- ftp.uga.edu/pub/unix/sgi/patches -- Security patches.
You can check what patches are installed with this command:
- versions -a | grep -i patch
Alias root's email address to a real user. Often important system mail is sent to root, so it's important for this mail to be read in a timely fashion by the system administrator.
- Edit the file /etc/aliases
- Look for a line like this:
```
	#root:postmaster
	
```
- Remove the comment and replace postmaster with a real email address:
```
	root:username@arches.uga.edu
	
```
- /usr/bsd/newaliases
Caution! You should not use an ARCHES account if the computer you are securing is a mail server. It is possible for root or postmaster to receive a lot of mail very quickly which can fill up a quota'd account such as ARCHES.
Secure the Xserver by changing all files that start with Xsession in the directory /usr/lib/X11/xdm. This will disallow the world from being able to connect to your X server. Put a comment (#) in front of any lines that look like this:
```
	/usr/bin/X11/xhost + 
	
```
or this
```
	if [ -f /usr/lib/desktop/xhoston ]; then
	/usr/bin/X11/xhost +
	fi
	
```
After you get through, the line should look like this:
```
	# /usr/bin/X11/xhost + 
	
```
or this
```
	# if [ -f /usr/lib/desktop/xhoston ]; then
	# /usr/bin/X11/xhost +
	# fi
	
```
Change the login defaults file, etc/default/login, and set the values to be the following:
```
	PASSREQ=YES
	MANDPASS=YES
	DISABLETIME=20
	MAXTRYS=3
	LOGFAILURES=3
	IDLEWEEKS=1
	SYSLOG=ALL
	CONSOLE=/dev/console
	
```
The comments preceding each value in the file explain what they afect.
Decide whether email needs to be deliverable to this machine. Unless it is a departmental or other central mail server, the answer is probably "no." In that case you should not run the sendmail daemon since it can be a security risk. In any case, you should install the latest sendmail provided by PSS-UNIX instead of using SGI's sendmail.
1. Download and install PSS-UNIXs sendmail via anon ftp from ftp.uga.edu
```
        cd /usr/tmp
	ftp ftp.uga.edu
  	cd pub/unix/sgi
	binary
	get ugasendmail6.2.tardist
  	quit

	tar xvf ugasendmail6.2.tardist
	inst -f .
	install all
	go
	quit
```
2. Turn off the sendmail daemon.
```
	/etc/init.d/mail stop
	chkconfig sendmail off
```
3. Now any mail sent to this machine will bounce. If that is undesirable, consider using an MX record to some other system which will accept mail for this one.
Disable unecessary services from inetd. Inetd is the "internet" daemon which starts most network services. Running services you don't need can be a security vulnerability and a performance degrader. If you don't want to disable a service, consider limiting access with tcpwrappers.
To disable a service, follow these steps
1. Make a copy of /etc/inetd.conf just in case
```
cp /etc/inetd.conf /etc/inetd.conf.old
```
2. Edit /etc/inetd.conf. It's format is one service per line. Disable a service by placing a comment (a pound sign - #) as the first character in the line. To re-enable a service, simply remove the comment.
3. Save the file and then re-initialize inetd. You must do this after making any change to the conf file in order for that change to take effect.
```
/etc/killall -HUP inetd
```
Here are some SGI inetd services which can often be disabled without anyone knowing the difference. This depends upon your setup -- testing is recommended! Please note that this list is incomplete: here's a more complete list of inetd services for SGI.
- fingerd - gives user info.
- rshd - executes remote commands. Disable and use ssh instead.
- rexecd - executes remote commands. Disable and use ssh instead.
- rlogin - allows remote logins. Disable and use ssh instead.
- bootp - gives boot info to clients
- dhcp_bootp - gives boot info to clients
- tftpd - boots diskless clients
- talkd
- uucp
- ruserd
Ssh is a telnet-like utility which encrypts your login id, password, and terminal session. It's a great security tool! Ssh can use the tcpwrappers configuration files to control access too.
It is possible to configure ssh so that a user can login without using his or her password. This is a bad idea because compromise of one system can quickly lead to compromise of others. Don't use .rhosts or .shosts to allow passwordless entry.
- Download and install ssh from ftp.uga.edu:
```
	cd /usr/tmp/
	ftp ftp.uga.edu
	cd /pub/unix/security/ssh.uga
	binary
	get ssh1.2.26-irix6x.tardist
	quit

	tar xvf ssh1.2.26-irix6x.tardist
	inst -f .
	install all
	go
	quit
```
- There's an extensive README in the ssh package; read it for details.
- sshd logs accesses to /var/adm/SYSLOG by default.
Install tcpwrappers on all machines, and limit connections to trusted hosts or domains. Tcpwrappers allows you to selectively allow or deny internet connections from other systems. Any service started from inetd can be wrappered, as well as ssh access. Even if you don't want to begin wrappering yet, it's a good idea to set it up so that it's easy to activate.
Note: Tcpwrappers is packaged with the ssh distributed by PSS-UNIX. The command versions -a ssh will tell you if tcpwrappers is installed.
1. Install tcpwrappers (bundled with ssh)
```
        cd /usr/tmp/
        ftp ftp.uga.edu
        cd /pub/unix/security/ssh.uga
        binary
        get ssh1.2.26-irix6x.tardist
        quit

        tar xvf ssh1.2.26-irix6x.tardist
        inst -f .
        install all
        go
        quit
```
2. Prepare /etc/inetd.conf by making a copy and editing your copy. Each line of inetd.conf controls a service, so do these steps for each service you want to wrapper.
  1. The sixth field contains the path of the service to be invoked, while the seventh filed contains the service program name plus arguments.
  2. Insert a new sixth field containing /usr/local/sbin/tcpd.
  3. Edit the seventh field to be the service path plus arguments.
  4. Example of old line:
```
ftp  stream  tcp  nowait  root  /usr/sbin/in.ftpd  in.ftpd -t1800
```
  5. Example of new line:
```
ftp  stream  tcp   nowait  root /usr/local/sbin/tcpd  /usr/sbin/in.ftpd -t1800
```
3. Prepare the access control files. Please see the README.uga for detailed instructions on this, or read the man pages.
  - The allow file is in /etc/hosts.allow. The format is service : [host] [domain] ...
  - The deny file is in /etc/hosts.deny. The format is service : [host] [domain] ...
4. Check your tcpwrappers setup.
  - /usr/local/bin/tcpdchk -i /etc/inetd.conf.tcpw
  - /usr/local/bin/tcpdmatch -i /etc/inetd.conf.tcpw daemon host
5. Move the edited inetd.conf into place and restart inetd.
```
        cp /etc/inetd.conf /etc/inetd.conf.pretcpw
	cp /etc/inetd.conf.tcpw /etc/inetd.conf
	/etc/killall -HUP inetd
	
```

Disable root login from anywhere but the system console. This forces administrators to su to root, and would also keep an intruder from remotely logging in as root even if s/he somehow knew the root password.

Edit the file /etc/default/login and search for the word console. Set that line to the following:
```
CONSOLE=/dev/console
```
Be sure there isn't a comment in front of the CONSOLE line!

Install the xntpd package from ftp.uga.edu to keep the clock on time. Some security attacks are predicated on an incorrect system clock.

xntp is part of the ugasetup package distributed by PSS-UNIX. It also includes networking setup. To download and install:

        cd /usr/tmp/
        ftp ftp.uga.edu
        cd /pub/unix/sgi
        binary
        get ugasetup62.tardist
        quit

        tar xvf ugasetup62.tardist
        inst -f .
        install 
        go
        quit

You should also turn off timed, another time daemon.

	/sbin/chkconfig timed off
	/etc/killall timed

Set up the system logs, and know what to check for

You do not want users to be able to look at the system log (/var/adm/SYSLOG) since the login information is in that file, and sometimes users will type all or some of their passwords at the username prompt and this is written to the system log.

Edit the file /usr/spool/cron/crontabs/root CAREFULLY and make the following change:

Old line:

1  1  *  *   0  umask 033;cd /var/adm;if test -s SYSLOG && 
test "`wc -c SYSLOG`" -ge 10240; then mv -f SYSLOG oSYSLOG;
touch SYSLOG; killall 1 syslogd; fi

Change umask 033 to umask 077 as follows:

1  1  *  *   0  umask 077;cd /var/adm;if test -s SYSLOG && 
test "`wc -c SYSLOG`" -ge 10240; then mv -f SYSLOG oSYSLOG;
touch SYSLOG; killall 1 syslogd; fi

Now change the permissions on the existing SYSLOG file:

chmod 600 /var/adm/SYSLOG

Last modified: Thursday, 13-Mar-2003 14:55:21 EST
URL: http://www.uga.edu/~ucns/wsg/security/sgidetails.html