$Id: INSTALL,v 1.4 1998/06/20 00:15:39 iarce Exp $
==============================================================================
                         Secure Syslog package
                             INSTALL file
								
                 (C)1998 Core-SDI. Buenos Aires, Argentina.
==============================================================================

  This file describes how to compile and install secure syslog both auditor
and server.	


         ------- WARNING: THIS IS A PRE-RELEASE VERSION ---------

  Altought this system has been tested for a while on several platforms,
it still considered to be on a beta stage. If you are seriously considering
using it on a exposed enviroment, wait for a release version.

		
  Ssyslog has been tested on the following platforms:

       - OpenBSD 2.1, 2.2 and 2.3
       - Linux Slackware 2.0.32 
       - SunOs 4.1.4
	   - Solaris 2.5.1
	   - FreeBSD 2.2.5


  One server ('ssyslogd') should be made on each different platform you are
using, and one client ('audlog') on the auditor platform. The current
version does not support more than one auditing host.
Please refer to section 5. "plataform specific notes" for information
on how to run ssyslogd on different plataforms

1. Compiling
============
 
1.a. Getting the last version

  The last version of the secure syslog package will always be available
at http://www.core-sdi.com/ssyslog. You may want to check out for a new
release before installing.
  The distribution file should look like 'ssyslog-X.XX.tar.gz'. Where
X.XX stands for version number (i.e. 'ssyslog-0.99.tar.gz'). You will
need also the GNU gunzip command in order to decompress it.


1.b. Extracting the sources 
  
  Change directory to a directory you have write permissions on and type:
		
		gunzip ssyslog-X.XX.tar.gz
		tar xvf ssyslog-X.XX.tar

  The words ssyslog-X.XX.tar.gz and ssyslog-X.XX.tar should be replaced
with full pathnames.


1.c. Configuring 

  Select the Makefile.* that best matches you platform using the following
list:

		OpenBSD 2.x		Makefile.bsd
		FreeBSD 2.x		Makefile.bsd
		Linux 2.0.x		Makefile.linux
		SunOs 4.1.4		Makefile.sunos
		Solaris 2.x		Makefile.solaris

  Then execute:
		cp Makefile.platform Makefile

  (Replace Makefile.platform with the file you selected)

  This package has been compiled with GNU gcc 2.7.2.1 and GNU gcc 2.7.0.
If you are using the native compiler or other gcc version you will have
to work around some compiling errors.

  If you are compiling on a new OS you may want to start a new
configuration file.  


1.d. Compiling

  If you are compiling both client auditor and server.
  Execute:
		make clean
		make all

  ... compiling only the server:
		make clean
		make ssyslogd

  ... compiling only the client auditor:
		make clean
		make audlog

   
  If you successfully compile on a new platform not listed above,
please contact the developers in order to include the changes in the 
official distribution.

	
2. Installing the auditor
=========================


2.a. Installing files and directories 
 
  Login as root, edit /etc/group and add a group named 'audlog'.

  Then execute:
  ./install.audlog


2.b Creating randpool

  Execute:
	audlog

  Type some random characters to initialize the random pool, then enter.


2.c Adding hosts to the auditor

  For each host you will remotely audit execute the following line:

	audlog -n <hostname>


3. Installing Servers
======================

  For each server you run the following steps.


3.a. Installing files and directories.

		 
  Login as root and execute this script:
	./install.ssyslog


3.b. Installing auditor key

  Transfer the file named /audit/<hostname>/.key from the auditor
machine,  thru a secure channel to /var/ssyslog/.key, on the server
machine. Install it with owner root and permission 600.
  Dont use ftp o rcp since the data travels in plaintext thru the
network, you'll rather use a diskette, scp or well trained tanembaum's dogs.


3.c. Creating randpool

  Execute:
	ssyslogd -d
	
  Type some random characters to initialize the random pool, then enter
and ctrl-c.


3.d. Adding to rc
  
  Edit /etc/rc files and replace syslogd with ssyslogd from
/usr/local/etc.


3.e. Configuring facilities

  Edit /etc/syslog.conf and add the protocol entries just before the
file names. Refers to syslog.conf(5) for more details.

Example:
	daemon.info	[peo]	/var/log/daemon
	ftp.info	[none]	/var/log/message

  If you are running on a SunOs, you will need to replace all the ifdef
statements with a standard notation accepted by ssyslogd.


4. TESTS
=========

Now try some audlog commands on the auditor

	audlog -c <hostname>

The first time your run 'audlog -c' for a specific host you will transfer all of the configuration files and the whole log files. 


5. PLATAFORM SPECIFIC NOTES
===========================

5.a. Linux

  Under Linux you still need to run klogd to log kernel messages

5.b FreeBSD

  For FreeBSD you need the Makefile.bsd, comment out the
  line begining with OSFLAGS for OpenBSD and uncomment 
  the FreeBSD flags

5.c Solaris

  Solaris up to 2.5.1 doesnt have a native snprintf(), we
  provided our own in compat.c, however 2.6 does have
  snprintf(3) so you'll need to comment out the OSFLAGS
  line that applies to 2.5.1 and uncomment the one
  for Solaris 2.6
