Setting-up Irix O/S Securely

Information and Communication Technologies

Setting-up Irix O/S Securely

Most systems are not set up to be inherently secure when networked. You are, therefore, strongly advised to follow the recommendations shown in the checklist relevant to your system. This should help to ensure the system is appropriately and securely set up befor3e it is put on the network. You are also advised to consult the CERT notifications.

Connect to SGI's Supportfolio website - http://support.sgi.com/ and register for a Free SurfZone Account for access to release updates (contract only) and free SGI IRIX Y2k & Security Patches.

New Systems.

New Systems will arrive with a basic Operating System already installed. The version of IRIX will be the latest all hardware version. The major security hole on new SGI IRIX systems, is that apart from the root account, several other accounts arrive open, i.e. without a password. Before you connect your new system to the network, you must set a password for the root account and close the password field with an * on the remaining open accounts. Typically, these accounts are lp; uucp; demos; guest; Ezsetup, etc.

Latest system release.

Every so often SGI will release an update for the all hardware version of IRIX. The update may include bug fixes, security patches, software updates and brand-new software. There are 2 flavours of update releases (also known as streams) - maintenance or feature release. The maintenance release will install all the default updates except brand new software, whereas the feature release will install all the default updates and the default subsets of any brand new software. These update releases can be downloaded from SGI's Supportfolio website - http://support.sgi.com/ follow the links through IRIX to the section entitled Patch and select Maintenance Release. Select which Release you want and read the pre and post installation notes carefully. Pay special attention to Caveats for your specific hardware.

If you are upgrading to the latest update release on a live system, you may have to install a patch from the distribution 'installtools directory' first. Upgrades via the miniroot do not need this.

Please remember to check for configuration file changes post installation. Use 'versions changed' to list the changed files. Files with a .O extension have been replaced by a new version of the configuration file. You may want to copy any local modifications of this file to the new version. Use 'xdiff filename1 filename2' to compare the content of these files.

Once you have installed the update and checked for configuration file changes, you will have to reboot to rebuild the kernel to incorporate these changes. The system will automatically rebuild the kernel on reboot. You may need to reboot a 2^nd time if the file /unix.install exists after the first reboot.

3. Older SGI systems.

For R4k Processors and higher, install the new all hardware release of the Base Operating System IRIX 6.5, plus the latest update. Minimum resource requirements for IRIX 6.5 are 64mb memory and 2gb system disk. A current SGI maintenance contract is necessary in order to apply for SGI Software Licenses for any installed Licensed Products e.g. MIPSpro C , C++, Fortran 77 & Fortran 90 Compilers.

Ideally, install onto a new filesystem. This can be done via the miniroot before selecting and

installing the OS. Select the inst Admin sub menu, which provides a mkfs and a mount option. Remake the filesystem for /root using the block device file, typically, /dev/dsk/dks0d1s0 and remount /root. Follow the installation instructions from the booklet provided with the IRIX 6.5 CDs. Once installed, apply the same procedure to close the password security hole as for new systems above. See 'Latest system release' to keep the OS up to date.

For R3k Processors you can only install IRIX 5.3, with free Y2k and Security patches available from http://support.sgi.com/. Additional information regarding Y2k patches for IRIX 5.3 is available at http://www.sgi.com/tech/year2000/patches_53.html. Please note, if you install IRIX 5.3-without XFS, i.e EFS filesystems, only install IRIX 5.3 patches-without XFS. SGI have retired this version of IRIX and will not provide any further new patches.

Latest Patches

From time to time SGI may release a patch between system update releases, for a specific purpose. Connect to http://support.sgi.com , follow the links through IRIX. Select IRIX Patches from the Dialog box and follow the Category link. This will provide a table of IRIX Patches. Before you download and install any patch, you must 'View' the release notes and check for compatibility issues. Some patches are incompatible with others and some patches require additional patches to be installed.

Security patches are available free from SGI's Security Headquarters website - http://www.sgi.com/support/security/index.html For an OS version listing, follow the link 'FTP Access to Security Patches'. You must 'View' the release notes and check for compatibility issues, before you download and install any patch.

Now do the post-installation security checks: follow this link

ICT also provide precompiled security programs via the College ftp site ftp://ftp.cc.ic.ac.uk/pub/packages -

skey

One time password encryption for remote root access.

Mail - sendmail

ICT recommend using exim over sendmail.

c) Anonymous ftp

ICT does not recommend the use of anonymous ftp. Contact ICT Network Services for advice on installing anonymous ftp.