-------------------------- DISCLAIMER - WARNING --------------------------
The use of these scripts may make your nodes more secure than what they are
at present, or they may in fact open up any number of holes or render your
system un-useable. These scripts come with no warranty of any kind. Use them
at your own risk only: YOU are responsible for what YOU run on YOUR nodes.
-------------------------- DISCLAIMER - WARNING --------------------------

HOW TO USE

Unpack the archive scripts.tar.Z, using something like
  zcat scripts.tar.Z | tar xvf -

Create the following person entries in your registry:
  d3m dial dpcc ftp netmain ns_helper prfd sbp sf_helper spm writed
and the following groups:
  d3m dial dpcc ftp netmain ns_helper prfd sbp sf_helper spm writed postman

Execute the protect_software script, using something like
  protect_software //nodename SR10.X

Copy the other files to appropriate places.

If you run netman (have any diskless nodes), then execute
  /sys/net/netman.rc template any
before running protect_software (or maybe run it again: it cannot hurt).


NOTES

protect_software will happily change ACLs on trees pointed to by links, e.g.
if you installed /domain_examples by a link
  /domain_examples -> //master_node/domain_examples
This will of course take quite a long time, besides being wasteful (as the
directory will be protected, again, when running on //master_node). We have
all such links pointing to /master instead, e.g.
  /domain_examples -> /master/domain_examples
  /bsd4.3/usr/man -> /master/bsd4.3/usr/man
where /master is a link pointing to some appropriate place. (When install++
asks for a //nodename, just enter /master.) The protect_software script will
first rename the /master link, so that none of the linked directories are
found while changing ACLs, and renames it back when finished.

These scripts work together. Maybe you can use the new /etc/rc with the
default Apollo permissions, or the original /etc/rc after protect_software,
but more likely you cannot. You need to replace /sys/net/netman.rc (this is
a link to netman_bin.sh or netman_com.sh) otherwise your protection would be
quite useless.

Do not change permissions in arbitrary ways. Opening things up may allow
seemingly unrelated attacks, while tightening things might make the node
unuseable.


NETWORKING

The 'native' protocol Apollos use to talk between themselves is DDS. It is
this protocol which allows things like lcnode, access to remote filesystems
with //node/dir/file, and most other things 'remote'. You must ensure that
you only only allow DDS protocol over networks that you control. Otherwise
anyone with access to an Apollo can access your machines, as root if he is
root on his machine (or if he is able to fake packets). Your machines may
even genuinely get confused as to where the master rgyd replica is!

To protect yourself: Only allow DDS on your own internal networks, not on
segments which connect you to the outside world. You need a separate network
interface for outside connection. Lucky if you have a 425t with inbuilt
ethernet, otherwise buy an ethernet board (since you do not need to boot
from this, a 'plain' 3Com505 will do). You may need to explicitly use the
rtsvc command on this interface: 'rtsvc -dev eth802.3_at -off'. You may not
need this command if it is the 'secondary' interface in your node, as it is
off by default. The name of the device may be eth802.3_dio for 425t's; check
with rtsvc without any options. (You may rely on your router to block DDS
protocol; but some routers do pass DDS. Do you control the router?)

You may also want to start your glbd's with the '-listen dds' option (and
also '-family dds' for the first glbd); and the option 'ncadg_dds' for rpcd
(from SR10.4 only; llbd is supposed to understand '-listen dds', but I do
not think this worked).


REGISTRY SETUP

After you create a registry with /install/tools/rgy_create, you need to
change the registry properties. Use edrgy, command 'prop' to check and/or
set. Ensure all the owners are root, not %.%.% (i.e. world) or anyone could
create new entries, even new root accounts. - Obviously, you need to change
the passwords (-apollo-) on all default (required) accounts, maybe also mark
the passwords/accounts invalid.


REQUEST

If you can make your nodes more secure please let me know, I would love to
hear from you. On the other hand, if these scripts cause you some trouble,
just drop me a line and I will try my best to help you.


Paul Szabo - System Manager   //        School of Mathematics and Statistics
                              //   University of Sydney, NSW 2006, Australia
szabo_p@maths.su.oz.au        //        Phone (+61 2) 692-3806, FAX 692-4534
