Tiger is a package consisting of Bourne Shell scripts, C code and data files which is used for checking for security problems on a UNIX system. It scans system configuration files, file systems, and user configuration files for possible security problems and reports them. The command tigexp can be used to obtain explanations of the problems reported by tiger.
Tiger is composed of a series of modules. Each of these modules check specific security issues related to UNIX systems. The framework provided by Tiger allows the provision of both generic modules and those specific for the operating system the software runs in. Modules can be executed stand alone, from cron or through the tiger program (which will execute all those available). If you want to write additional modules for your system read the README.writemodules document. Tiger currently provides the following modules:
Checks the accounts provided in the system, looking for disabled accounts with cron, rhosts, .forward, and valid shells.
Performs a check for mail aliases and improper configuration.
Determines if the anonymous FTP service is properly configured.
Validates the cron entries in the system.
Determines if embedded pathnames are configured properly.
Analyses configuration files for NFS exported filesystems to see if access is properly restricted.
Checks the UNIX groups available in the system, looking for conflicts and improper entries.
Checks the inetd configuration file: compares against services definition, valid directory paths, non-existent binaries and active services.
Looks for known intrusion signs including backdoors and mail spools.
Checks if users’s netrc files are insecurely configured.
Looks for wrong configuration in the NIS+ entries.
Checks the UNIX users available in the system, looking for conflicts and improper entries.
Validates the binaries in user’s PATHs as well as PATH definitions used by scripts in order to determine insecure definitions.
Check filepermissions and inconsistencies.
Analyses the configuration for the printer control file.
Checks rhosts files in order to see if user’s configuration leaves the system open to attack.
Checks sendmail configuration files. check_signatures Compares binary files signatures against those stored in the local database (provided with the program).
This module calls the operating system’s specific modules available at /usr/lib/tiger/systems/.
Checks the Apache configuration file and reports on generic issues which might introduce exposures or vulnerabilities in the system.
Checks for devices’s permissions, warning about devices that have world permissions.
Analyses .exrc files that are not in user’s home directories. The vi command will look for the existence of such a file in the current directory, and so may inadvertently perform commands that can compromise your system’s security when starting vi or ex.
Checks if deleted files are being used by any process in the current system. This might be an indication of intrusion (a user executing processes and then deleting its files) or of unpatched servers (which, if not restarted use old library files and are still vulnerable).
Analyses the system’s /etc/ftpusers and determines if the administrative users are in that file.
Checks the /etc/issue and /etc/issue.net file to determine if they contain the appropriate content (this is defined in the ISSUEFILE and ISSUENETFILE).
Checks for the existence of log files (wtmp, btmp, lastlog and utmp). It will also check for proper umask settings.
Analyses configuration files for lilo and grub boot loaders (Linux-specific).
Checks for processes listening on TCP/IP sockets (servers) in the system as well as users running them. Will warn if the user running a server is not an authorised one or if the server is listening on all available interfaces.
Checks the format of the /etc/passwd file in order to determine inconsistencies which indicate an intrusion or misconfiguration.
Checks if patches are available for the system (i.e. new packages). It will use autorpm or apt-get to check this (so this tools need to be properly configured). This check is specific to Linux (RedHat or Debian).
Checks if remote root login is allowed to the local system.
Checks the permissions for the root directory.
Tries to find systems which have been rootkited, it does so by looking for trojaned ls and find commands. It also includes a wrapper to run the chkrootkit program and format the results in Tiger’s message format.
Checks if the system is properly configured to disallow single-user access. This check is specific to Linux.
Analyses the version of the operating system and determines if it is too out of date. This check is specific to Linux (RedHat or Debian).
This module will check if the processes configured in tigerrc are running currently in the system. If any of the processes is not running, Tiger will warn the administrator (this acts as a lightweight software watchdog)
Check which services are configured in the system (usually in /etc/services) versus the ones that should be configured (in the provided services file)
Tests for the existence of tcp-wrappers and changes in their configuration it also determines which services are running wrapped in tcp-wrappers.
Check for umask setting in configuration files.
Checks which xinetd services are enabled or disabled.
Runs a local installation of the Crack program which can be used to determine if local user passwords are easy (or not) to guess.
tripwire_run aide_run integrit_run
Wrappers for a number of integrity checkers, these programs enhance the support of Tiger for MD5 and SHA-1 binary signatures and file system permission checks (implemented with the the check_perms and check_signatures scripts). You should consider installing any of these three programs (Tripwire, Aide or Integrit) and use read-only locations (such as CD-ROM) to store the hashes of the system.
This module checks against a list of stored Debian Security Advisories in order to see if the system has any package installed whose version might be subject to any security vulnerability (Debian-specific).
Compares the MD5 sums of binary files against those provided after installation. Changes in these files might be an indication of a compromised system (Debian-specific).
Looks for files installed in the system’s directories that are not provided by any installed Debian packages (Debian-specific).
Tiger Website: http://www.nongnu.org/tiger/
Tiger Readme: http://cvs.savannah.gnu.org/viewvc/*checkout*/tiger/tiger/README?content-type=text%2Fplain&revision=HEAD
Tiger man: http://www.penguin-soft.com/penguin/man/8/tiger.html