1TIGERCRON(8)                Administrator Commands                TIGERCRON(8)
2
3
4

NAME

6       tigercron - Cron utility for Tiger UNIX Security Checker
7

SYNOPSIS

9       tigercron [controlfile] [-B basedir] [tigeroptions...]
10

DESCRIPTION

12       Tigercron  is used to run periodically checks from the Tiger UNIX Secu‐
13       rity Checker. Tigercron reads a control file which is  usually  located
14       in '/etc/tiger/cronrc' although it can also be specificied as the first
15       argument when calling the program.  The format of this control file  is
16       the  same  as  for the cron program, each line indicates when different
17       checks from Tiger will be run.  The user can indicate  where  Tiger  is
18       installed  through  the  -B  basedir  parameter,  any  other additional
19       options provided in the command line will be passed on to configure  to
20       configure Tiger based on them (as described in tiger (8)).
21
22       Tigercron  runs  the  specified  checks and compares their reports with
23       previous stored reports (under /var/log/tiger). It will then  mail  the
24       user defined in '/etc/tiger/tigerrc' (Tiger_Mail_RCPT) the results.
25
26       When a module is run, tigercron checks:
27
28       ·   If  Tiger_Cron_Template is set to Y in tigerrc. If it is, it checks
29           if there is a template stating which are the expected results.
30
31       ·   If Tiger_Cron_CheckPrev is set to Y in tigerrc. If it is, it checks
32           if there is a previous run of the module it can check against.
33
34       A  differential report is generated depending on the module reports and
35       previous run and is sent through e-mail. These reports provide an  easy
36       way to detect intrusions even if no configuration of templates has been
37       done. In the event of an intrusion a Tiger check might detect something
38       specific  (file changes, new processes, new users, etc.) and this alert
39       mechanism provides a way to turn Tiger into a Host Intrusion  Detection
40       System (HIDS).
41
42       The  ability  of  it  to  work as a proper HIDS is based on a good cus‐
43       tomization of the cronrc file. Modules that check events to  which  the
44       host  is  most exposed to should be run often in order to detect devia‐
45       tions from normal behaviour.
46

OPTIONS

48       Tigercron uses the same options as Tiger. A controlfile can be  defined
49       also to override the default.
50

FILES

52       /etc/tiger/tigerrc
53              Configuration file for the Tiger tool.
54
55       /etc/tiger/cronrc
56              Configuration file for the Tigercron tool.
57
58       /var/log/tiger
59              Location of the log messages generated by Tiger when run through
60              cron
61
62       /var/run/tiger/work
63              Working directory used by  Tiger  scripts  to  create  temporary
64              files.
65

SEE ALSO

67       tigexp(8),tiger(8),cron(8),crontab(5)
68
69       The deficiencies of using tigercron as a HIDS are described in the file
70       README.hostids which is provided with the package. In Debian  GNU/Linux
71       you   will   find   this   (and   other   related)   documentation   at
72       /usr/share/doc/tiger/
73

BUGS

75       Currently Tigercron has only one alert mechanism (mail) and  signatures
76       are  not  supported. Thus, alerts could be faked. Also, it is dependant
77       on cron and will not work if cron is not working.
78

AUTHOR

80       This manpage was written by Javier Fernandez-Sanguino.
81
82
83
84Security                       19 September 2003                  TIGERCRON(8)
Impressum