The Unix security audit and intrusion detection tool
Important Note:It is recommended that source code or binaries downloaded from any archive are checked carefully. Downloads are Savannah are signed with the Tiger’s developer’s key.
Tiger is a security tool that can be use both as a security audit and intrusion detection system. It supports multiple UNIX platforms and it is free and provided under a GPL license. Unlike other tools, Tiger needs only of POSIX tools and is written entirely in shell language.
Tiger has some interesting features that merit its resurrection, including a modular design that is easy to expand, and its double edge, it can be used as an audit tool and a host intrusion detection system tool. Free Software intrusion detection is currently going many ways, from network IDS (with Snort), to the kernel (LIDS, or SNARE for Linux and Systrace for OpenBSD, for example), not mentioning file integrity checkers (many of these: aide, integrit samhain, tripwire. ) and logcheckers (even more of these, check the Log Analysis pages). But few of them focus on the host-side of intrusion detection fully. Tiger complements this tools and also provides a framework in which all of them can work together. Tiger it is not a logchecker, nor it focused in integrity analysis. It does “the other stuff”, it checks the system configuration and status. Read the manpage for a full description of checks implemented in Tiger. A good example of what Tiger can do is, for example, check_findeleted, a module that can determine which network servers running in a system are using deleted files (because libraries were patched during an upgrade but the server’s services not restarted).
Free software Linux/*BSD distributions have a myriad of security tools to do local security checks: Debian’s checksecurity, Mandrake’s msec, OpenBSD’s /etc/security, SUSE’s Seccheck. but, even if they do similar checks they have suffered from fragmentation. Tiger is being developed in the hopes that it could substitute them at some point in the future. For a list of system security checks that Tiger provides that others do not you can read this (short) comparison.
Find more information in the project’s page at Savannah.
Tiger provides a number of README files describing its usage and it has been features in a number of papers and conferences. The following documentation is available:
The sources include the main README file, notes on how to use Tiger in the USING file, and notes on how to use it as a host IDS in the README.hids file.
UNINET’s UMEET 2002 conference: Tiger: A security audit and intrusion detection tool: talk (mirror), slides
UNINET’s INFOSEC 2003 conference UNIX host-based intrusion detection and audits,a look at current development: talk (mirror), slides.
Also useful, is the annotated CERT checklist which describes which items of Auscert’s UNIX Security Checklist are covered by the Tiger tool.
You can freely download Tiger from Savannah, Debian packages are also available in the Debian archive. The current stable release is 3.2.3, the previous (old) stable release is 3.2.2. Notice that many mirrors of security tools have not catched up with this latest release and keep older versions (2.2.4p1).
If you are using a Linux distribution you are encouraged to use the latest stable release since it is much more up-to-date and will work better than TAMU’s 2.2 release in newer Linux distributions. Packages for the Debian GNU/Linux distribution are also available directly from Debian. Other Debian derivatives, such as Ubuntu, probably provide Tiger in their package sources too.
You can also obtain a copy of the source code, which is currently distributed using a GIT repository. For more information on how to obtain the source code, please read this page.
Tiger is distributed under GNU’s GPL license and is free software. The fact that TAMU originally distributed under this license has allowed development of the tool even after the group was not able to continue developing it.
Tiger is distributed as a source-code only distribution, you might need to compile certain programs (under bin/) for your specific operating system. In any case, if you want to see how the program has evolved please check the source code repository. Some operating systems, like Debian, might provide binary packages, users of those operating systems are encouraged to use them.
If you want to cooperate in the development of the Tiger tool you are encouraged to join the tiger-devel mailing list. This list is used to coordinate the development of the code: new scripts, patches and discussion about bug reports are welcome here.
If you want to contact Tiger developers or users please use the open mailing lists. If you want to report bugs in Tiger or ask for enhancements that you feel are important please use our Bug Tracking System or open support requests in our Support Manager.
Tiger was originally developed by the CIS Network group of the A M campus of the Texas University, it was written at the same time that COPS, SATAN and Internet Scanner were. Eventually, after the 2.2.4 version, which was released in 1994, development of Tiger stalled. (original pages still available at http://www.net.tamu.edu/network/tools/tiger.html).
Three different forks evolved after Tiger: TARA (developed by Advanced Research Computing, available at http://www-arc.com/tara), one internally developed by the HP corporation by Bryan Gartner and the last one developed for the Debian GNU/Linux distribution by Javier Fernбndez-Sanguino (current upstream maintainer).
These forks were merged on May 2002 and in June 2002 the new source code, now labeled as the 3.0 release, was published at the Savannah site. The 3.1 release was distributed in October 2002, it was considered an unstable release and included some new checks, a new autoconf script for automatic configuration, but mostly included fixes for bugs found after testing Tiger in Debian GNU/Linux and in other operating systems. Over 2200 lines of code and documentation were included in this release.
The release 3.2, was published in May 2003 and greatly improved the stability of the tool and also fixed some security founds found in it (including a buffer overflow in realpath).
The 3.2.1 release was published in October 2003 and included a number of bug fixes, enhancements and new checks including: check_ndd (for HPUX and SunOS systems), check_passwspec (for Linux and HPUX) check_trusted (for HPUX), check_rootkit (which can interact with the chkrootkit tool), check_xinetd, and, finally, aide_run and integrit_run which provide new checks for integrity file checkers.
The 3.2.2 release was published in August 2007 and included many bug fixes, new checks and enhancements. It introduced support for Tru64, Solaris 8 and 9. This release also introduced the audit scripts, a collection of scripts originally written by Marc Heuse that can be used to do offline audits of systems by recovering all the needed information and putting it into an archive. Use these scripts together with security operating systems baselines or checklits.
The 3.2.3 release was published in September 2008 and was mainly a bug fix release. This release incorporated all the fixes introduced in the Debian packages (a result of the help of users and developers using Tiger in that distribution), and included new features related to the handling of exotic filesystems in Linux.
Development has continued after this release, and a release with all the improvements, bug fixes and changes introduced is being worked on.