README for thor.pl
Author Jerry Kilpatrick (jerry@linuxscripts.com)
Title  Systems Administrator/In Command Interactive
URL    http://www.linuxscripts.com/  <--Still under construction as of 

Note:  
This program is based off of a program called sysmon.pl which was
written by a guy named Matthew George (emoc@vortex.misterweb.com)
                                                                                05/13/1999
Disclamer:
This program is to only be used at your own risk.  However it shouldn't do
anything to your computer, I am not liable..  Now that I have that off my 
chest...
                                        
Installation:
copy thor.pl to a directory, preferably where only root can get to it.  Make
it executable by root, and put it in a cronjob for once a day.
You'll have to edit the first part of the program to set all of the correct
paths in your variables.

How about a run down of the procedures that Thor goes through.

Verify Programs:
Thor is dependent on a few things like md5sum (for checksums) sendmail (if 
you want it to mail you the output) crontab (for checking crontabs).
Thor also keeps db files to keep track of new things added.  It checks 
to make sure those are not symbolic links (just incase they get pointed
to /etc/passwd by some nasy cracker).

Checks for Root Acounts:
Finds all users that have the uid of 0 or anything that could be mistaken
as 0 by the kernel.  Keeps track of them.
It then compairs this list with it's DB and displays new accounts or accounts
that have been removed.

Check Cron Jobs of Root Accounts:
With the list thor just compiled from the passwd file, it does a crontab -l on 
each user.  It displays the cronjobs that have changed.  (This is in case some 
nasty cracker decided to put something in a cronjob that will run as root.)

Survey the SUID files:
This part of the program does a recursive search of the root directory and 
tests for suid or sgid bits to be turned on.  It only remembers the files if
they are  owned by a root account.  If it does find one it crosschecks the
checksum of that  program against the checksums of the shells listed in the
/etc/shells file.  (This is extra testing for "suid bash" [bash or
whatever shells are listed] which gives that user instant root access.) This
also updates the database and displays the files that wern't originally there.

Checksums of specified directories:
Alright, you choose the directories that are recursivly checked for checksums.
Keep in mind that this could possibly take up a lot of memory while this is
running, so you may want to only check the most important directories.  It's
defaulted to check --> /etc /bin /sbin /usr/bin /usr/sbin /usr/local/bin
/usr/local/sbin /lib /usr/lib <--  When it finds different checksums than are
in your database it displays them also.

This program can print to the STDOUT or send mail to a specified address.  To
get it working you will most likely have to edit the variables at the
beginning of the script.  Another thing is to run it for the first time you
need to run it with the -r option.  This tells it that it needs to set up the
databases.  It will display everything that it finds the first time, but the
output eachother time won't be that bad.  I run it on many of my machines here
and it's a pretty good program.  I can go to my other admins and say..  So you
added a user, or I see you installed "fubar" or whatever.  Let me know if you
have any problems with this.  jerry@linuxscripts.com

Another thing I'm working on is checking for files writable by the average
user.  That will be in the next release.  Whenever I'm able to get around to
that.  Please feel free to let me know of any pointers or ideas you might have
regarding this script.
