 
README for nabou 2.0
===================================



Introduction
------------

This is the script called "nabou". Parts of it
are based on another script called "thor.pl" by
Jerry Kilpatrick <jerry@linuxscripts.com>, which
itself is based on a program called sysmon.pl which
was written by a guy named Matthew George
<emoc@vortex.misterweb.com>.

I used thor.pl on several servers but realized
many bugs and found many things, that could be
solved much better. Since the app-record of thor.pl
on freshmeat does no more exist and the Homepage of
thor.pl does also no more exist(the domain still exists,
but there is a 'cking win2k site oberthere...), I
decided to take over maintenance of the script,
give it another name and enhance/debug it myself.
The result is nabou. If you are wondering about its
name - did you ever see episode I ? If you did, you
should know ... but it's nothing meaningful, just to
have a good name ;-)

Nabou is a system integrity checker. That means, it
runs every night and watches for changes on files.
If a file has changed in any way, it will inform you
by email(if you prefer that). Beside of this it can
also look for changed or added user accounts, cronjobs,
weird processes and suid files. And you can define your
own checks using inline scriptlets.

It stores the properties for each file in a dbm database
and will warn you if something has been changed on a
file. The most important thing to check for, is the
MD5-checksum. This checksum will never be the same if
the file content has changed even if only one letter
has changed. But you can also look for some other
properties, like ownership or filemode. See the
nabourc manpage for more details on that!

You can use nabou as an Intrusion Detection System or
simply as a system monitor.



Installation
------------

You will need to install some additional perl modules
depending on how you want to use nabou. Refer to the file
README.modules for details which modules you need.

Installation is really simple, just unpack the tarball,
which you have already done if you are reading this file.
Copy the file "nabou" to somewhere, i.e. "/root/bin"
and change its permissions. I suggest the following mode:
rwx------ root  root  nabou.

If you have an ext2 filesystem you might also protect
it using chattr: "chattr +i nabou", this makes it
immutable(read only). 
For the paranoid: protect it with LIDS (http://www.lids.org):
lidsadm -A -o /root/bin/nabou -j READ
Or, use the new RSA feature described in more detail in the
nabou manpage.

Copy the provided sample-configuration "nabourc" to a convenient
place, i.e. "/root/.nabourc" and edit this file (read
more on  configuration later in this README).

If you are using linux, you might want to try the config
file "linuxrc" instead. It is a nearly complete configuration
which reflects most aspects on a linux system.

Create a new directory, where nabou can store it's
databases, i.e. "/var/log/sysdb" and chmod it:
"chmod 700 sysdb". If you run nabou and the database dir
does not exist then nabou will try to create it for you.

Edit the config file.

That's all about installation :-)




Configuration
-------------

The configuration will be described more in-depth in the
nabourc manpage.



Availability
------------

You can find the latest versions of nabou on one of the following
locations:
http://www.daemon.de/software.html
http://www.nabou.org/





Support and Feedback
--------------------

If you encounter any problems using nabou or if you have some
suggestions or bug reports, feel free to drop me an email:

Thomas Linden <tom@daemon.de>.




Finaly, thanks for choosing nabou - keep the world secure!

