 
README for nabou 2.0
===================================



Introduction
------------

This is the script called "nabou". Parts of it
are based on another script called "thor.pl" by
Jerry Kilpatrick <jerry@linuxscripts.com>, which
itself is based on a program called sysmon.pl which
was written by a guy named Matthew George
<emoc@vortex.misterweb.com>.

I used thor.pl on several servers but realized
many bugs and found many things, that could be
solved much better. Since the app-record of thor.pl
on freshmeat does no more exist and the Homepage of
thor.pl does also no more exist(the domain still exists,
but there is a 'cking win2k site oberthere...), I
decided to take over maintenance of the script,
give it another name and enhance/debug it myself.
The result is nabou. If you are wondering about its
name - did you ever see episode I ? If you did, you
should know ... but it's nothing meaningful, just to
have a good name ;-)

Nabou is a system integrity checker. That means, it
runs every night and watches for changes on files.
If a file has changed in any way, it will inform you
by email(if you prefer that). Beside of this it can
also look for changed or added user accounts, cronjobs,
weird processes and suid files. And you can define your
own checks using inline scriptlets.

It stores the properties for each file in a dbm database
and will warn you if something has been changed on a
file. The most important thing to check for, is the
MD5-checksum. This checksum will never be the same if
the file content has changed even if only one letter
has changed. But you can also look for some other
properties, like ownership or filemode. See the
nabourc manpage for more details on that!

You can use nabou as an Intrusion Detection System or
simply as a system monitor.



Installation
------------

Installation is really simple, just unpack the tarball,
which you have already done if you are reading this file.
Copy the file "nabou" to somewhere, i.e. "/root/bin"
and change its permissions. I suggest the following mode:
rwx------ root  root  nabou.

You will need an additional perl module which is available
from your local CPAN dealer. But just in case, you don't know
how to find one, here is a download link: 
  http://search.cpan.org/search?dist=Config-General  :-)

BTW. this module was written by me, and in fact, it is based on
code in nabou, but it evloved and became larger and larger, so
I decided some day to release it separately. Read the included README
for installation instructions.

If you want to use the RSA database protection feature,
you will need the supplied Crypt::OpenSSL::RSA module (which is
bigfuxed by me) and Crypt::Prime as well as MIME::Base64.
You might test if your system fullfills the requirements by
executing the test-script rsa_test.pl.


If you have an ext2 filesystem you might also protect
it using chattr: "chattr +i nabou", this makes it
immutable(read only). 
For the paranoid: protect it with LIDS (http://www.lids.org):
lidsadm -A -o /root/bin/nabou -j READ
Or, use the new RSA feature described in more detail in the
nabou manpage.

Copy the provided sample-configuration to a convenient
place, i.e. "/root/.nabourc" and edit this file (read
more on  configuration later in this README).

Create a new directory, where nabou can store it's
databases, i.e. "/var/log/sysdb" and chmod it:
"chmod 700 sysdb". If you run nabou and the database dir
does not exist then nabou will try to create it for you.

Nabou reguires the following perl module to be installed
which is not part of the standard perl installation:
Digest::MD5. You can find it on every CPAN mirror. The
latest package can be found on:
 http://www.perl.com/CPAN/authors/id/GAAS/Digest-MD5-2.09.tar.gz
It contains also the modules Digest::SHA1 and Digest::MD2,
which you can optionally use instead of MD5. See the
description of the config option "use_algo" below.

If you want to use the database-protection mode of nabou, then
must have also the following module installed: Crypt::OpenSSL::RSA.
This module is supplied with nabou, but you might use any
newer versions, but older versions will not work with nabou!
This module is required for database-record encryption, which
itself will be used for verification of database-integrity.
(see the "Security" note in the "Usage" section later in this README).

That's all about installation :-)




Configuration
-------------

The configuration will be described more indepth in the
nabourc manpage.



Availability
------------

You can find the latest versions of nabou on one of the following
locations:
http://www.daemon.de/software.html
http://www.nabou.org/





Support and Feedback
--------------------

If you encounter any problems using nabou or if you have some
suggestions or bug reports, feel free to drop me an email:

Thomas Linden <tom@daemon.de>.




Finaly, thanks for choosing nabou - keep the world secure!

