'tiger' is a set of scripts that scan a Un*x system looking for security problems, in the same fashion as Dan Farmer's COPS. 'tiger' was originally developed to provide a check of UNIX systems on the A&M campus that want to be accessed from off campus (clearance through the packet filter). As such, we needed something that *anyone* could run if they could figure out how to get it down to their machine. If you just want to run it, without regards to time considerations, then just 'cd' into the tiger directory and run './tiger' as 'root'. ---> You should check to see if you have the latest digital signatures for the system(s) you are checking. I regularly place updated signature files on anonymous FTP at net.tamu.edu:/pub/security/TAMU/tiger-sigs/* The util/installsigs script can be used to install the updated signatures. As of Tiger 2.2.2, installsigs is also capable of installing signatures for new OS releases (not new platforms or major releases though). ALSO NOTE NOTE: There are fairly complete signature files for various releases of SunOS available in the tiger-sigs/os-dist directory. These should be used if you want to thoroughly scan your system for altered binaries. *NOTE* The 'tigerrc' file is set up for TAMU hosts, and disables/reduces some of the checks. You should probably copy 'tigerrc-dist' to 'tigerrc' and edit it to taste. It is set for a fuller check mode (TAMU hosts might want to run with this config file as well). 'tigerrc-all' has everything already maxed out and enabled (except for PATH_ALL). (Or use the '-c' switch to use an alternate tigerrc file as of 2.2.2) ------------------------------------------------------------------------ I recommend that you read the USING file for anything other than the aforementioned situation. **** See the file COPYING for legal stuff. ------------------------------------------------------------------------ If you have any thing to say about 'tiger', please let us know. New things to check, how to improve things, *anything*, send it in... if you think someone else has already sent in a bug report, suggestion, etc., send it in anyway... the more times someone hits me over the head with something, the more likely it is to get fix/included... ********** NOTE NOTE NOTE NOTE NOTE NOTE ************ There is now a mailling list available for 'tiger'. To subscribe, send mail to 'majordomo@net.tamu.edu'. Include in the body of the message: subscribe tiger or subscribe tiger alternate_email_address The mailling list is managed via Brent Chapman's 'majordomo' package. Doug. Doug.Schales@net.tamu.edu New Stuff 01/06/94 --------- Updated signature files for SunOS 4.x and SunOS 5.x. Bug fixes... If the current directory is a descendant of a directory for which the user does not have 'read' permissions (i.e., search only), then csh and find do not always work. Workaround is to 'cd /' where necessary. Not sure this has been completely implemented. typo in scripts/sub/check_devs (Multiple people) scripts/sub/check_devs exited if GENCLIENTDIRS undefined (Sally Noonan). -x 'test' switch is not portable. (Sally Noonan) AIX doesn't need '-g' (Dorian Deane) IRIX test doesn't shortcircuit (Steve Rikli) IRIX config had wrong definition for DATECMD and TIMECMD (Steve Rikli) Crude 'smrsh' check performing poorly (Patrick Nolan & Mohamed el Lozy) Changes for performance and robustness, as suggested by Goran Larsson. A C program is used to get file ownership and permissions instead of 'ls | awk'. (If the C program won't compile, we fall back to 'ls | awk'. Changes to check_anonftp for performance. Added -c switch to allow specifying alternate 'tigerrc' script (John Reynolds) 'tigexp' loses command line parameters on NeXT 3.0 (Kelly Cunningham) Added ethernet device files to check list for SunOS 5 (was already there in SunOS 4). Also inspects /var/sadm/install/contents to check the perms there so that they don't get accidentally changed back. New Stuff 10/31/93 --------- Mailling list available. See the README file for more information. Support for TAMU Linux distribution, may work on other Linux' as well. Updated signatures for SunOS 4.x & SunOS 5.x for security patches. 'installsig' script for installing new signature files (util/installsig). We will try to maintain up to date security patch signature files in the directory net.tamu.edu:/pub/security/TAMU/tiger-sigs. Note that at present, only SunOS 4.x and SunOS 5.x are being actively maintained (not that there is a bias here, it is just easier for me to get information on these... contributions will be welcomed). Various minor bug fixes relating to various platforms. Fixed check_suid to handle MD5 signatures. check_embedded now will optionally wait for the file system scans to complete and will check all setuid executables found for "bad" embedded pathnames. See 'tigerrc' for configuring details. New Stuff 08/17/93 --------- Script for checking embedded pathnames. The other scripts collect filenames which are then fed into the check_embedded script. This checks the ownership and permissions of all of these embedded pathnames. Be warned... this can generate *lots* of output. Pathname checking is now much more complete. Every "problem" is reported in detail, instead of saying "Hey, there's a problem with this pathname". 'tigercron' should work a lot better now. Script for checking BSD printcap printer control file. Signatures for IRIX 4.0.5*, thanks to Steve Rikli. Signatures for NeXTOS 3.1, thanks to William McVey, et al. Cleaned up output... much of the output now gets formatted to (default) 80 columns. Digital signature checking now works with SNEFRU or MD5. Automagically detects which signature to generate. Signature checking is a lot faster now, especially if you have a clean system (the signature database is ordered such that the "good" signatures are first). Interface to 'password' generator scripts changed so that the generator scripts can do sanity checking on the base files. Interfaces to all of the other generator scripts will be changed in next release. Makefile for installing everything. I'm not happy with the installation process this time either... if anyone wants to contribute a snazzy installation script I'll be happy to include it... New Stuff 06/17/93 --------- First off, there are some man pages in the 'man' directory. They are definitely lacking. If I ever stop adding stuff to the package, maybe I will be able to write better documentation. ******** Explain facility. All messages (should) have a message ID associated with them in square brackets []. The script 'tigexp' can be used to get an explanation of the message. Some (many?) of the explanations are lacking. You can also insert the explanations into the output of 'tiger' by using the '-e' flag. If anyone has suggestions or improved explanations, don't hesitate to send them to me. ******** Crack 4.1 interface. 'tiger' will now run Alec Muffett's password cracker 'Crack'. See the 'tigerrc' file and 'site-sample' file for information on enabling it (it is disabled by default). ******** Systems: SunOS 4.1.1 sun3, 4.1.1 sun4, 4.1.2, 4.1.3, 5.1, 5.2 sun4 NeXT 3.0 There, but untested (and I do mean untested). You can try them, but they have *never* been used, so I have no idea what to expect. Some parts are missing (i.e., no signature files). AIX 3.x (if this one works... any idea why so many setuid's on AIX 3?) HPUX (probably anything up to 9.x) IRIX 4.x UNICOS 6.x 7.x (if those pesky users didn't use the machine so much...) ******** More checks. A few of the additions since the last release are: check_aliases: Check mail aliases for problems. check_cron: Check 'cron' entries for problems. check_group: Cross reference 'group' files for problems. check_passwd: Cross reference 'passwd' files for problems. check_path: Check 'root' (and optionally all users) PATH for problems. In addition all previous scripts have been beefed up with many more checks. File Permission databases have been improved (though they still need more work). Scripts which check the path to executables and files now check the pathname thoroughly, even in the face of symbolic links. The file system scans now report device files, world writable directories, symbolic links to system files, in addition to setuid executables. Also the setuid checks now attempt to determine if a setuid program is an old version of a binary for which a security patch was released (i.e., it was moved out of the way, but never deleted or chmod'd, and hence may still be a security problem). For servers of diskless or dataless clients, some "quick" checks of the clients can be performed on the server (see man/tiger.man). Not everything can be checked. Plus, support is not complete. It is possible to install 'tiger' now so that you don't have to feed it all the names of the directories on each invocation. Just run 'Install'... it will prompt for names. 'tigercron' provides a simple-cron facility with report differencing capability and mailing of reports. This is just started and needs more work to be really useful. See the 'cronrc' file for a sample input to it. Checks for the availability of a utility commands have been moved nearer to where they are actually needed (as opposed to having them at the top of each script). This enables more checks to be performed when only a few commands are missing. All cleanup of scratch files goes through the 'delete' routine which won't delete a file that isn't in the scratch work directory. This is to prevent programmer errors from zapping the wrong file [what? programmer errors? Never... :)] Some more C code added. Handling of obtaining a compilation of the source improved. For casual use, nothing need be done. The C code will be compiled and installed in the Bindir (TIGERHOME/bin by default). For regular use, or use in a large group of systems, sharing the tiger directories, the binaries can be compiled and stored in the respective system directories. The scripts will use the binary directly from that directory. The Solaris 2.x (SunOS 5) directory provides precompiled binaries (no C compiler by default). Finally, if you try to run this on a system with an old or broken Bourne shell, or one without functions, have a peek at util/setsh. This will change all the '#!' headers to some other shell (i.e. ksh or bash). Note that 'tiger' has never been run under either of these, but it might be worth a shot.