Tiger - The Unix security audit and intrusion detection tool


Contents

Introduction
How to install Easy way
Enable Mail
First Scan
Good Report Results
Report Results that may need investigating
Tweaking tiger.ignore file
FAQ for tiger.ignore
Tweaking tigerrc file
Test before and after reboot
Using Cron jobs
/var/log/tiger
Running Tiger for Intrusion Detection
Help
Credits


Introduction


Try at own risk. Any suggestions to add or delete lines from /etc/tiger.ignore should be considered by you and not blindly followed just because I am the current wiki contributor. If unsure, make no changes. IMHO, you are making poor decisions, if you have add lines to tiger.ignore without running tiger at least once without tweaks. That means you will need to run tiger without tweaks and then at least once with tweaks.

I am a sidux and Debian newbie. In order to help you make an informed choice on whether to run it once or more, I offer the following suggestions. Feel free to edit if you find errors or can improve it. This is an introduction to the security report tool TIGER. For intrusion and Tiger, I suggest:
http://www.cert.org/tech_tips/intruder_detection_checklist.html
http://www.cert.org/tech_tips/root_compromise.html

This wiki concentrates on Tiger as an audit tool and IDS as a lower priority.

Tiger can report on a number of scans depending on whether you have run the command tiger:
-with (or without) tweaked config files,
- as a specific individual scan not the all-in-one command tiger,
- from a cron job, and
-whether it is installed or run off removable media.

Due to these permutations, I assume you will run installed scans and tweak your config files. Please backup your system before attempting any changes. Ideally take an image of a clean install. Insert the removable media to run or install Tiger. Take an image if you like the tweaks. Consider cron jobs if you like to have reports of possible intrusion in the future.

Where applicable, I comment on a second scan after altering the tiger.ignore file, so you will need to pay attention to detail, sorry in advance, but thats the way I discuss certain reports.

It appears sidux guru Stefan, is against the use of partimage and regards it as unstable. As a home user, I have used it over the years on 32 bit distros and currently have a ext3 fs, but have less to risk, if it were faulty. So backup your system whichever way you feel confident of restoring. Even if you use partimage, backup all system files you are about to change please. It helps to know how to use sidux in live dvd mode to restore your backups. Or to know how to use a live cd to use partimage if you are prepared to engage in risky behaviour. As sidux will never have partimage can I suggest you consider a GPL ISO of RIPLinuX aka RIP smallest 50 Megs or with X (gui) is 80 Megs.
http://www.tux.org/pub/people/kent-robotti/looplinux/rip/
GPL is proved by checking cd file /boot/doc/copying.txt

Please read all of this wiki, especially the testing bit, before making any system file changes.

Who is Debian maintainer
Javier Fernandez-Sanguino Pena

AUTHOR
Tiger was originally developed by a team of the Texas A&M University Supercomputer Center, as of September 1993, the development done via the Network Group, Computing & Information Services. This software was written originally by Douglas Lee Schales, Dave K. Hess, Khalid Warraich, and Dave R. Safford (circa 1993).

What is it good for
One function is an internal security audit tool that is used to check system files. Due to its check of certain files, it may detect certain types of intrusion. If you have installed chkrootkit, tiger can use it. You are the only one to decide what is happening is legit, that positive reports (hits) are false positives or not. Knowing how your system functions and reading logs on a regular basis helps. If unsure re-read Tiger documents and read the Help section. There are lots of ways to harden your system included Bastille. Tiger reports get better the more you harden the system. That is, the more you harden the system, the better the quality of the tiger reports.


Enable Mail


On a clean install running command ... mail ...responds with command not found. Applications for mail include a MTA and debconf can allow you to setup for local delivery only.

apt-get install mailx sendmail kbiff


In order to see when mail arrives, try a nice system tray applet = kbiff. If you will use cron, enable cron logs in /etc/rsyslog.conf. If you are not sure why mail is not working check your /var/log/mail.err first then mail.log second.

You are not forced to install mail stuff, you might be able to get by using root powers Konqueror or other file manager to read sections including /var/log/tiger ....... /var/spool/mail. You may need to do this, if you have not configured your MTA correctly?


How to install Easy way


su
apt-get install tiger


This installs tiger. Individual scripts can now be found at /usr/lib/tiger/scripts/ The easy way means you have not got an unpack available on removable media to install on a clean install. If you are going to use tiger as an IDS, I suggest it be installed on a clean system.


First scan

Please do not tweak config files to maximize the possible hits. You could also move the tiger ignore file but I suggest on first scan lets go conservative.

Report tools do just, they report. It is up to you to interpret the results using the help files to change certain system files and or tweak the tiger config files. Tiger reports can assist you in hardening certain system files. It is not meant to be a stand alone tool. If you are interested in security IMHO you are likely to run a number of tools. My preferred tool is rootkit hunter. To get an idea what Tiger....without a change to config will scan, -- see /etc/tiger/tigerrc

su
nice -20 tiger -e &


If you do not want to speed it up or have no need for longer explanations in log, run just... tiger. The script will attempt to use the config file for a generic linux 2.6 kernel but you can force it to use a different config file. For now, please do not.

This will take about 5 minutes depending on your hardware. It will produce a report for sidux at
/var/log/tiger/security.report.sidux.(yymmdd-time) with longer explanations due to the -e switch

Good Report Results


On a sidux 2008-02 KDE full i386 hard drive install Tiger has the following good results:

Performing check of /etc/hosts.equiv and .rhosts files
Performing check of .netrc files
Performing common access checks for root (in /etc/default/login, /securetty, and /etc/ttytab
Performing check of PATH components
Only checking user 'root'
Performing check of anonymous FTP
Performing checks of mail aliases
Checking aliases from /etc/aliases
Performing check of 'inetd'
Checking inetd entries from /etc/inetd.conf
Analysing inetd entries from /etc/inetd.conf
Performing NFS exports check
Performing check of system file permissions
Checking for known intrusion signs
Testing for promiscuous interfaces with /bin/ip
Testing for backdoors in inetd.conf
Performing check of files in system mail spool
Performing check for rootkits
Performing system specific checks
Performing checks for Linux/2
Checking for single user-mode password
Checking Logins not used on the system
Verifying system specific password checks
Checking installed packages vs Debian Security Advisories
Checking md5sums of installed files
Performing check of root directory
Checking ntpd configuration
Checking unusual file names
Looking for unusual device files
Checking symbolic links



TigerPart1 | TigerPart2 | TigerPart3

up | homepage
Page history :: Oct 26, 2008 Revisions of :: Owner: aus9 ::