1TIGER(8) Administrator Commands TIGER(8)
2
6 tiger - UNIX Security Checker
7
9 tiger [-vthqGSH] [-B dir] [-l dir|@host] [-w dir] [-b dir] [-e|-E] [-c
10 config] [-A arch] [-O os] [-R release]
11
13 Tiger is a package consisting of Bourne Shell scripts, C code and data
14 files which is used for checking for security problems on a UNIX sys‐
15 tem. It scans system configuration files, file systems, and user con‐
16 figuration files for possible security problems and reports them. The
17 command tigexp(8) can be used to obtain explanations of the problems
18 reported by tiger.
19 You can configure tiger by adjusting the Tiger_ variables in the
21 /etc/tiger/tigerrc configuration file. For each available module (see
22 MODULES below) there is a corresponding variable in the configuration
23 file that determines whether the module is run. All of the variables
24 names start with Tiger_check_ and should be set equal to Y to run, or N
25 to skip. Other configuration variables will modify the behaviour of
26 some modules, and should be adjusted based on the operating system.
27 The /etc/tiger/tiger.ignore configuration file defines a set of mes‐
29 sages that will not be presented in the report even if any of the mod‐
30 ules generate them. If the file exists, all the entries (line by line)
31 are used as extended regular expressions that are compared against each
32 message (notice that it will introduce some overhead which grows with
33 the size of the file). For more information on this mechanism read the
34 README.ignore document.
35
37 The following arguments can be used when calling the program:
38 -B tigerdir
40 Specify the directory where tiger is installed. If not speci‐
41 fied, /usr/lib64/tiger is used.
42 -l logdir|@logserver
44 Specify the name of the directory where tiger will write the
45 security report. This defaults to /var/log/tiger. The filename
46 of the report will be of the form 'security.report.host‐
47 name.date.time'. If the directory begins with a @, the name
48 will be interpreted as a tiger logging server. Tiger logging's
49 server is currently a server that listens in port (tcp) 5353 on
50 a remote host. The tiger process will just send the results to
51 that server using a telnet connection.
52 -w workdir
54 Specify a directory to use for creating scratch files. This
55 defaults to /var/run/tiger/work.
56 -b bindir
58 Specify the directory which contains (or will contain) the bina‐
59 ries generated from the C modules. If the systems directories
60 contain all the binaries, they will be used directly from there.
61 If not, then if bindir contains the binaries, these will be
62 used. If none are found in either place, then an attempt will
63 be made to compile the C code and install the executables into
64 bindir.
65 -c tigerrc
67 Specify an alternate name for the tigerrc control file. The
68 default is '/etc/tiger/tigerrc'.
69 -e This option will cause explanations to be inserted into the
71 security report following each message. This can greatly
72 increase the size of the report, as explanations may appear
73 repeatedly.
74 -E This option indicates that a separate explanation report should
76 be created, with explanations for each type of message only
77 appearing once. The filename of the explanation report will be
78 of the form 'explain.report.hostname.date.time'.
79 -G Generate the signatures (MD5 hashes and file permissions) for
81 system binary files.
82 -H This option will format the report into HTML creating local
84 links to the problem descriptions.
85 -S This option indicates that a surface level check of the configu‐
87 ration files of any diskless clients served by this machine
88 should be checked at the same time. The checks will not be as
89 in depth as they would be if run on the client itself.
90 -q Suppress messages to be as quiet as possible, only security mes‐
92 sages will be shown.
93 -A arch
95 This option overrides the default value obtained for the current
96 architecture detected by the internal configuration engine to a
97 value defined by the user.
98 -O os This option overrides the default value obtained for the current
100 operating system detected by the internal configuration engine
101 to a value defined by the user.
102 -R release
104 This option overrides the default value obtained for the current
105 operating system release detected by the internal configuration
106 engine to a value defined by the user.
107 Notice that changing the real values for the operating system and
109 architecture Tiger is running in might result in scripts being run
110 which are not appropiate to it, and, as a consequence, unexpected (and
111 potentially dangerous) errors might be generated. When executed Tiger
112 will show which operating system, release and architecture thinks it is
113 running in.
114
116 Tiger is composed of a series of modules. Each of these modules check
117 specific security issues related to UNIX systems. The framework pro‐
118 vided by Tiger allows the provision of both generic modules and those
119 specific for the operating system the software runs in. Modules can be
120 executed stand alone, from cron or through the tiger program (which
121 will execute all those available).
122 If you want to write additional modules for your system read the
124 README.writemodules document.
125 Tiger currently provides the following modules:
127 check_accounts
129 Checks the accounts provided in the system, looking for disabled
130 accounts with cron, rhosts, .forward, and valid shells.
131 check_aliases
133 Performs a check for mail aliases and improper configuration.
134 check_anonftp
136 Determines if the anonymous FTP service is properly configured.
137 check_cron
139 Validates the cron entries in the system.
140 check_embedded
142 Determines if embedded pathnames are configured properly.
143 check_exports
145 Analyses configuration files for NFS exported filesystems to see
146 if access is properly restricted.
147 check_group
149 Checks the UNIX groups available in the system, looking for con‐
150 flicts and improper entries.
151 check_inetd
153 Checks the inetd configuration file: compares against services
154 definition, valid directory paths, non-existent binaries and
155 active services.
156 check_known
158 Looks for known intrusion signs including backdoors and mail
159 spools.
160 check_netrc
162 Checks if users's netrc files are insecurely configured.
163 check_nisplus
165 Looks for wrong configuration in the NIS+ entries.
166 check_passwd
168 Checks the UNIX users available in the system, looking for con‐
169 flicts and improper entries.
170 check_path
172 Validates the binaries in user's PATHs as well as PATH defini‐
173 tions used by scripts in order to determine insecure defini‐
174 tions.
175 check_perms
177 Check filepermissions and inconsistencies.
178 check_printcap
180 Analyses the configuration for the printer control file.
181 check_rhosts
183 Checks rhosts files in order to see if user's configuration
184 leaves the system open to attack.
185 check_sendmail
187 Checks sendmail configuration files. check_signatures Compares
188 binary files signatures against those stored in the local data‐
189 base (provided with the program).
190 check_system
192 This module calls the operating system's specific modules avail‐
193 able at /usr/lib/tiger/systems/.
194 check_apache
196 Checks the Apache configuration file and reports on generic
197 issues which might introduce exposures or vulnerabilities in the
198 system.
199 check_devices
201 Checks for devices's permissions, warning about devices that
202 have world permissions.
203 check_exrc
205 Analyses .exrc files that are not in user's home directories.
206 The vi command will look for the existence of such a file in the
207 current directory, and so may inadvertently perform commands
208 that can compromise your system's security when starting vi or
209 ex.
210 check_finddeleted
212 Checks if deleted files are being used by any process in the
213 current system. This might be an indication of intrusion (a user
214 executing processes and then deleting its files) or of unpatched
215 servers (which, if not restarted use old library files and are
216 still vulnerable).
217 check_ftpusers
219 Analyses the system's /etc/ftpusers and determines if the admin‐
220 istrative users are in that file.
221 check_issue
223 Checks the /etc/issue and /etc/issue.net file to determine if
224 they contain the appropriate content (this is defined in the
225 ISSUEFILE and ISSUENETFILE).
226 check_logfiles
228 Checks for the existence of log files (wtmp, btmp, lastlog and
229 utmp). It will also check for proper umask settings.
230 check_lilo
232 Analyses configuration files for lilo and grub boot loaders
233 (Linux-specific).
234 check_listeningprocs
236 Checks for processes listening on TCP/IP sockets (servers) in
237 the system as well as users running them. Will warn if the user
238 running a server is not an authorised one or if the server is
239 listening on all available interfaces.
240 check_passwdformat
242 Checks the format of the /etc/passwd file in order to determine
243 inconsistencies which indicate an intrusion or misconfiguration.
244 check_patches
246 Checks if patches are available for the system (i.e. new pack‐
247 ages). It will use autorpm or apt-get to check this (so this
248 tools need to be properly configured). This check is specific to
249 Linux (RedHat or Debian).
250 check_root
252 Checks if remote root login is allowed to the local system.
253 check_rootdir
255 Checks the permissions for the root directory.
256 check_rootkit
258 Tries to find systems which have been rootkited, it does so by
259 looking for trojaned ls and find commands. It also includes a
260 wrapper to run the chkrootkit program and format the results in
261 Tiger's message format.
262 check_single
264 Checks if the system is properly configured to disallow single-
265 user access. This check is specific to Linux.
266 check_release
268 Analyses the version of the operating system and determines if
269 it is too out of date. This check is specific to Linux (RedHat
270 or Debian).
271 check_runprocs
273 This module will check if the processes configured in tigerrc
274 are running currently in the system. If any of the processes is
275 not running, Tiger will warn the administrator (this acts as a
276 lightweight software watchdog)
277 check_services
279 Check which services are configured in the system (usually in
280 /etc/services) versus the ones that should be configured (in the
281 provided services file)
282 check_tcpd
284 Tests for the existence of tcp-wrappers and changes in their
285 configuration it also determines which services are running
286 wrapped in tcp-wrappers.
287 check_umask
289 Check for umask setting in configuration files.
290 check_xinetd
292 Checks which xinetd services are enabled or disabled.
293 crack_run
295 Runs a local installation of the Crack program which can be used
296 to determine if local user passwords are easy (or not) to guess.
297 tripwire_run aide_run integrit_run
299 Wrappers for a number of integrity checkers, these programs
300 enhance the support of Tiger for MD5 and SHA-1 binary signatures
301 and file system permission checks (implemented with the the
302 check_perms and check_signatures scripts). You should consider
303 installing any of these three programs (Tripwire, Aide or
304 Integrit) and use read-only locations (such as CD-ROM) to store
305 the hashes of the system.
306 deb_checkadvisories
308 This module checks against a list of stored Debian Security
309 Advisories in order to see if the system has any package
310 installed whose version might be subject to any security vulner‐
311 ability (Debian-specific).
312 deb_checkmd5sums
314 Compares the MD5 sums of binary files against those provided
315 after installation. Changes in these files might be an indica‐
316 tion of a compromised system (Debian-specific).
317 deb_nopackfiles
319 Looks for files installed in the system's directories that are
320 not provided by any installed Debian packages (Debian-specific).
321
323 /etc/tiger/tigerrc
324 Configuration file for the Tiger tool.
325 /etc/tiger/cronrc
327 Configuration file for the Tigercron tool.
328 /var/log/tiger
330 Location of the log messages generated by Tiger when run through
331 cron.
332 /var/run/tiger/work
334 Working directory used by Tiger scripts to create temporary
335 files.
336 /etc/tiger/tiger.ignore
338 Configuration file that defines which messages generated by mod‐
339 ules will be ignored by Tiger and will not be presented in the
340 final report.
341
343 tigexp(8)
344 There are also a number of README files that describe in detail the be‐
346 haviour of Tiger and how it can be used to setup a host-based intrusion
347 detection system. These can be found in the top directory of the
348 sources or in /usr/lib64/tiger once it is installed (in Debian the
349 location of the full documentation set is /usr/share/doc/tiger/)
350
352 There are a lot more things to check.
353 Some places in the package are not shell meta-character or white-space
355 safe.
356 You can report or read known bugs at the http://savan‐
358 nah.nongnu.org/projects/tiger webpage.
359 For Debian-specific (known) bugs read the
361 /usr/share/doc/tiger/README.Debian document or the
362 http://bugs.debian.org/tiger webpage.
363
365 Tiger was originally developed by a team of the Texas A&M University
366 Supercomputer Center, as of September 1993, the development done via
367 the Network Group, Computing & Information Services.
368 This software was written originally by Douglas Lee Schales, Dave K.
370 Hess, Khalid Warraich, and Dave R. Safford (circa 1993).
371 A lot of changes were introduced by the ARSC team (a.k.a. the TARA
373 team) Liam Forbes <lforbes at arsc.edu>, Nathan Bills <bills AT
374 arsc.edu> and Mike Kienenberger <mkienenb at arsc.edu>, including sup‐
375 port for quite a number of operating systems.
376 Current upsteam maintenance of Tiger is being done by Javier Fernandez-
378 Sanguino Peña and coordinated at http://savan‐
379 nah.nongnu.org/projects/tiger
380 The adaptation for the GNU/Linux operating system was made by Robert L.
382 Ziegler <rlz at mediaone.net>
383 The modifications for the Debian GNU/Linux operating system have been
385 made by Javier Fernandez-Sanguino Peña <jfs at computer.org>, including
386 a number of checks for the GNU/Linux operating systems (check_listen‐
387 ingprocs) and some specific for Debian (deb_checkadvisories,
388 deb_checkmd5sums and deb_nopackfiles).
389Security 12 August 2003 TIGER(8)