
Copyright (c) 1990 Marco Negri & siLAB Staff

Permission to use, copy, modify, and distribute this software and its
documentation for any purpose and without fee is hereby granted, provided
that the above copyright notice appear in all copies and that both that
copyright notice and this permission notice appear in supporting
documentation, and that the name of the authors not be used in advertising
or publicity pertaining to distribution of the software without specific,
written prior permission of the authors.
The authors makes no representations about the
suitability of this software for any purpose.  It is provided "as is"
without express or implied warranty.

Please send any improvements, bug fixes, useful modifications, and comments
to security@ghost.unimi.it

	INSTALLATION OUTLINES:

Check the pathnames in config.h, alertconfig.h and Makefile.
Check also the install entry in the Makefile, and the INSTALL line too.
Run "make install". This creates the executable files and installs them.

Pwdchk:	Usually started by /etc/rc, optionally with "-p" to specify
	polling interval, in seconds (Default: 1 hour = 3600 seconds).
	Example = /etc/rc: /usr/local/bin/pwdchk
	Other useful options:
		-u <uid> Change minimal uid to test (Default: 170).
		-m	 (Re)Make data base.

Suchk:	NOTICE: As far as we can know, BSD systems does not have
		the /usr/adm/sulog file. Since suchk **needs** this file,
		this program is useless on BSD. Edit Makefile
		and comment out the EXECS line with suchk, uncommenting
		the other EXECS line.
	Usually started by /etc/rc, optionally with "-p" to specify
	polling interval, in seconds (Default: 1 minute = 60 seconds).
	With "-l" an alternate sulog file can be specified
	(Default: /usr/adm/sulog).
	Example = /etc/rc: /usr/local/bin/suchk
	Option "-u" specifies the minimal uid to test (Default: 170).


Logchk:	Edit logconf to meet your local requirements.
	Usually started by /etc/rc, optionally with "-p" to specify
	polling interval, in seconds (Default: 1 minute = 60 seconds) and/or
	"-l" option to specify an alternate wtmp file (Default: /etc/wtmp).
	Notice that the configuration file must be specified.
	Example = /etc/rc: /usr/local/bin/logchk /usr/etc/security/logconf

Scheck:
	There are two ways to operate:
		a) Check s-bit set files only.
		b) Check any file you want.
	[a] Start scheck with "-m" option. This will build the data base
	    of files with the s-bit set (Default: "/usr/etc/security/s_perm").
	    Edit the db file carefully, checking *all* the file listed,
	    deleting the files you don't care (notice that scheck
	    will later change the permissions of the files deleted).
	
	[b] This is what we suggest you use :
	    % find -perm -04000 \( -perm -00010 -o -perm -00001 \) -print > file
	    Then check carefully all the files listed in "file" (see also [a]
	    above). Then think to the other files you want to check
	    (like daemons, init, shells, etc.) and make sure that they
	    are wat you think. Add this other files (absolute pathname)
	    to the end of "file", then run:
		% cat "file" | scheck -n -m
	    This will create the db file of the files specified on stdin.

	Then, add a crontab entry like this:
00 22 * * 1-5		exec /usr/local/bin/scheck -f /usr/etc/security/s_perm

	Other useful options:
		-f <filename>	Alternate db file
				(Default: /usr/etc/security/s_perm).
		-u <uid>	Change minimal uid to test (Default: 170).
		-g <gid>	Change minimal gid to test (Default: 170).
		-U <file>	Update db with <file> (Notice: <file> *must*
				be absolute pathname).

Getfinger:
	This program polls on the inetd.log file, or another with the
	same format, and whenever it sees that a connection is
	requested from a remote machine, it does a finger on that
	remote host. So it is possible to see who was logged on on
	the remote host when a connection was requested from there.
	Obviously it works only with those hosts which supports the
	fingerd daemon.
	It is usually started from /etc/rc:

	/usr/local/bin/getfinger nntpd >> /usr/etc/inetd.finger 2>&1

	As arguments can be specified daemons we want to ignore,
	nntpd in the example above.

Last, create an alert.list file including the name of the people you want
alerted (Default: /usr/etc/security/alert.list). See alert.list as example.
Create also a logconf file, specifying the users allowed to login,
on specified terminals and/or from specified machines (no default; you
must specify the logconf file on the command line - see logchk example above).
An example is given in logconf.
