Provided by: tiger_3.2.4~rc1-3_amd64 
NAME
tiger - UNIX Security Checker
SYNOPSIS
tiger [-vthqGSH] [-B dir] [-l dir|@host] [-w dir] [-b dir] [-e|-E] [-c config] [-A arch]
[-O os] [-R release]
DESCRIPTION
Tiger is a package consisting of Bourne Shell scripts, C code and data files which is used
for checking for security problems on a UNIX system. It scans system configuration files,
file systems, and user configuration files for possible security problems and reports
them. The command tigexp(8) can be used to obtain explanations of the problems reported
by tiger.
You can configure tiger by adjusting the Tiger_ variables in the /etc/tiger/tigerrc
configuration file. For each available module (see MODULES below) there is a corresponding
variable in the configuration file that determines whether the module is run. All of the
variables names start with Tiger_check_ and should be set equal to Y to run, or N to skip.
Other configuration variables will modify the behaviour of some modules, and should be
adjusted based on the operating system.
The /etc/tiger/tiger.ignore configuration file defines a set of messages that will not be
presented in the report even if any of the modules generate them. If the file exists, all
the entries (line by line) are used as extended regular expressions that are compared
against each message (notice that it will introduce some overhead which grows with the
size of the file). For more information on this mechanism read the README.ignore
document.
OPTIONS
The following arguments can be used when calling the program:
-B tigerdir
Specify the directory where tiger is installed. If not specified, /usr/lib/tiger
is used.
-l logdir|@logserver
Specify the name of the directory where tiger will write the security report. This
defaults to /var/log/tiger. The filename of the report will be of the form
'security.report.hostname.date.time'. If the directory begins with a @, the name
will be interpreted as a tiger logging server. Tiger logging's server is currently
a server that listens in port (tcp) 5353 on a remote host. The tiger process will
just send the results to that server using a telnet connection.
-w workdir
Specify a directory to use for creating scratch files. This defaults to
/var/lib/tiger/work.
-b bindir
Specify the directory which contains (or will contain) the binaries generated from
the C modules. If the systems directories contain all the binaries, they will be
used directly from there. If not, then if bindir contains the binaries, these will
be used. If none are found in either place, then an attempt will be made to
compile the C code and install the executables into bindir.
-c tigerrc
Specify an alternate name for the tigerrc control file. The default is
'/etc/tiger/tigerrc'.
-e This option will cause explanations to be inserted into the security report
following each message. This can greatly increase the size of the report, as
explanations may appear repeatedly.
-E This option indicates that a separate explanation report should be created, with
explanations for each type of message only appearing once. The filename of the
explanation report will be of the form 'explain.report.hostname.date.time'.
-G Generate the signatures (MD5 hashes and file permissions) for system binary files.
-H This option will format the report into HTML creating local links to the problem
descriptions.
-S This option indicates that a surface level check of the configuration files of any
diskless clients served by this machine should be checked at the same time. The
checks will not be as in depth as they would be if run on the client itself.
-q Suppress messages to be as quiet as possible, only security messages will be shown.
-A arch
This option overrides the default value obtained for the current architecture
detected by the internal configuration engine to a value defined by the user.
-O os This option overrides the default value obtained for the current operating system
detected by the internal configuration engine to a value defined by the user.
-R release
This option overrides the default value obtained for the current operating system
release detected by the internal configuration engine to a value defined by the
user.
Notice that changing the real values for the operating system and architecture Tiger is
running in might result in scripts being run which are not appropriate to it, and, as a
consequence, unexpected (and potentially dangerous) errors might be generated. When
executed Tiger will show which operating system, release and architecture thinks it is
running in.
MODULES
Tiger is composed of a series of modules. Each of these modules check specific security
issues related to UNIX systems. The framework provided by Tiger allows the provision of
both generic modules and those specific for the operating system the software runs in.
Modules can be executed stand alone, from cron or through the tiger program (which will
execute all those available).
If you want to write additional modules for your system read the README.writemodules
document.
Tiger currently provides the following modules:
check_accounts
Checks the accounts provided in the system, looking for disabled accounts with
cron, rhosts, .forward, and valid shells.
check_aliases
Performs a check for mail aliases and improper configuration.
check_anonftp
Determines if the anonymous FTP service is properly configured.
check_cron
Validates the cron entries in the system.
check_embedded
Determines if embedded pathnames are configured properly.
check_exports
Analyses configuration files for NFS exported filesystems to see if access is
properly restricted.
check_group
Checks the UNIX groups available in the system, looking for conflicts and improper
entries.
check_inetd
Checks the inetd configuration file: compares against services definition, valid
directory paths, non-existent binaries and active services.
check_known
Looks for known intrusion signs including backdoors and mail spools.
check_netrc
Checks if users's netrc files are insecurely configured.
check_nisplus
Looks for wrong configuration in the NIS+ entries.
check_passwd
Checks the UNIX users available in the system, looking for conflicts and improper
entries.
check_path
Validates the binaries in user's PATHs as well as PATH definitions used by scripts
in order to determine insecure definitions.
check_perms
Check filepermissions and inconsistencies.
check_printcap
Analyses the configuration for the printer control file.
check_rhosts
Checks rhosts files in order to see if user's configuration leaves the system open
to attack.
check_sendmail
Checks sendmail configuration files. check_signatures Compares binary files
signatures against those stored in the local database (provided with the program).
check_system
This module calls the operating system's specific modules available at
/usr/lib/tiger/systems/.
check_apache
Checks the Apache configuration file and reports on generic issues which might
introduce exposures or vulnerabilities in the system.
check_devices
Checks for devices's permissions, warning about devices that have world
permissions.
check_exrc
Analyses .exrc files that are not in user's home directories. The vi command will
look for the existence of such a file in the current directory, and so may
inadvertently perform commands that can compromise your system's security when
starting vi or ex.
check_finddeleted
Checks if deleted files are being used by any process in the current system. This
might be an indication of intrusion (a user executing processes and then deleting
its files) or of unpatched servers (which, if not restarted use old library files
and are still vulnerable).
check_ftpusers
Analyses the system's /etc/ftpusers and determines if the administrative users are
in that file.
check_issue
Checks the /etc/issue and /etc/issue.net file to determine if they contain the
appropriate content (this is defined in the ISSUEFILE and ISSUENETFILE).
check_logfiles
Checks for the existence of log files (wtmp, btmp, lastlog and utmp). It will also
check for proper umask settings.
check_bootloader
Analyses configuration files for different bootloaders including lilo and grub
(Linux-specific).
check_listeningprocs
Checks for processes listening on TCP/IP sockets (servers) in the system as well as
users running them. Will warn if the user running a server is not an authorised one
or if the server is listening on all available interfaces.
check_passwdformat
Checks the format of the /etc/passwd file in order to determine inconsistencies
which indicate an intrusion or misconfiguration.
check_patches
Checks if patches are available for the system (i.e. new packages). It will use
autorpm or apt-get to check this (so this tools need to be properly configured).
This check is specific to Linux (RedHat or Debian).
check_root
Checks if remote root login is allowed to the local system.
check_rootdir
Checks the permissions for the root directory.
check_rootkit
Tries to find systems which have been rootkited, it does so by looking for trojaned
ls and find commands. It also includes a wrapper to run the chkrootkit program and
format the results in Tiger's message format.
check_single
Checks if the system is properly configured to disallow single-user access. This
check is specific to Linux.
check_release
Analyses the version of the operating system and determines if it is too out of
date. This check is specific to Linux (RedHat or Debian).
check_runprocs
This module will check if the processes configured in tigerrc are running currently
in the system. If any of the processes is not running, Tiger will warn the
administrator (this acts as a lightweight software watchdog)
check_services
Check which services are configured in the system (usually in /etc/services) versus
the ones that should be configured (in the provided services file)
check_tcpd
Tests for the existence of tcp-wrappers and changes in their configuration it also
determines which services are running wrapped in tcp-wrappers.
check_umask
Check for umask setting in configuration files.
check_xinetd
Checks which xinetd services are enabled or disabled.
crack_run
Runs a local installation of the Crack program which can be used to determine if
local user passwords are easy (or not) to guess.
tripwire_run aide_run integrit_run
Wrappers for a number of integrity checkers, these programs enhance the support of
Tiger for MD5 and SHA-1 binary signatures and file system permission checks
(implemented with the the check_perms and check_signatures scripts). You should
consider installing any of these three programs (Tripwire, Aide or Integrit) and
use read-only locations (such as CD-ROM) to store the hashes of the system.
deb_checkmd5sums
Compares the MD5 sums of binary files against those provided after installation.
Changes in these files might be an indication of a compromised system (Debian-
specific).
deb_nopackfiles
Looks for files installed in the system's directories that are not provided by any
installed Debian packages (Debian-specific).
FILES
/etc/tiger/tigerrc
Configuration file for the Tiger tool.
/etc/tiger/cronrc
Configuration file for the Tigercron tool.
/var/log/tiger
Location of the log messages generated by Tiger when run through cron.
/var/lib/tiger/work
Working directory used by Tiger scripts to create temporary files.
/etc/tiger/tiger.ignore
Configuration file that defines which messages generated by modules will be ignored
by Tiger and will not be presented in the final report.
SEE ALSO
tigexp(8)
There are also a number of README files that describe in detail the behaviour of Tiger and
how it can be used to setup a host-based intrusion detection system. These can be found in
the top directory of the sources or in /usr/lib/tiger once it is installed (in Debian the
location of the full documentation set is /usr/share/doc/tiger/)
BUGS
There are a lot more things to check.
Some places in the package are not shell meta-character or white-space safe.
You can report or read known bugs at the http://savannah.nongnu.org/projects/tiger
webpage.
For Debian-specific (known) bugs read the /usr/share/doc/tiger/README.Debian document or
the http://bugs.debian.org/tiger webpage.
AUTHOR
Tiger was originally developed by a team of the Texas A&M University Supercomputer Center,
as of September 1993, the development done via the Network Group, Computing & Information
Services.
This software was written originally by Douglas Lee Schales, Dave K. Hess, Khalid
Warraich, and Dave R. Safford (circa 1993).
A lot of changes were introduced by the ARSC team (a.k.a. the TARA team) Liam Forbes
<lforbes at arsc.edu>, Nathan Bills <bills AT arsc.edu> and Mike Kienenberger <mkienenb at
arsc.edu>, including support for quite a number of operating systems.
Current upstream maintenance of Tiger is being done by Javier Fernandez-Sanguino Peña and
coordinated at http://savannah.nongnu.org/projects/tiger.
The adaptation for the GNU/Linux operating system was made by Robert L. Ziegler <rlz at
mediaone.net>
The modifications for the Debian GNU/Linux operating system have been made by Javier
Fernandez-Sanguino Peña <jfs at computer.org>, including a number of checks for the
GNU/Linux operating systems (check_listeningprocs) and some specific for Debian
(deb_checkadvisories, deb_checkmd5sums and deb_nopackfiles).