Tiger is a set of scripts that scan a Unix system looking for security problems. It supports multiple UNIX platforms and is free to use. It can act as both a Host Intrusion Detection System and a Security Audit tool. Tiger compliments network IDS and kernel IDS. Tiger as a HIDS finds anything that slips past the NIDS.
As a HIDS, Tiger looks for suspicious processes, monitors host access, and monitors changes to critical system files. Tiger provides checks of common issues related to security break-ins. These checks include checks for password strength, file system problems, communicating processes, and ways that root may be compromised. Other checks include a system scan for listening “back door” ports, a check for installed rootkits, locations of files not belonging to packages, and an analysis of local listening processes.
As a Security Audit tool, tiger checks the system configuration and status. Tiger exposes any vulnerabilities in the system by performing these checks:
Problematic cron and service entries
Complete system file permission check
All user accounts on the machine
Listening services audit
Where does tiger fit in?
Tiger is installed locally, runs as root, and checks the localhost for common system configuration issues concerning security. Tiger is not a network monitor (such as Nagios), a full strength IDS (such as Snort, Samhain, or Tripwire), or a package management system (like apt). Tiger has a comprehensive set of built-in checks and is portable with minimal requirements. It runs as root, so it can do a very thorough analysis of the system that programs like 'Nagios' cannot. Tiger is very lightweight; there are no daemons, databases, or network connections required.
Using Tiger at Quoin
Through using Tiger, we have been able to identify and eliminate security threats. An example of tiger hardening our servers can be seen in our use of Tiger’s “check_finddeleted” script. By using this script, we were able to pinpoint a resource leak within an application. This particular application was holding onto a file descriptor after the file had been deleted. Seeing which running network services are using deleted files in our system has proven to be very helpful in stopping security risks..
Checks like these are scheduled to run in the background over a specified time period throughout the day. The interval that each script is run can be designated in Tiger’s configuration files. Once this is setup properly, a Tiger report is emailed to the specified administrator. In addition, Tiger makes it possible to email a “change” report which will only contain “new” info and will only be mailed when there “is” new info. This works by tiger comparing the new, updated reports with previous stored reports.
In order for Tiger to work effectively, the configuration files must be configured to match your applications needs. When configured correctly, Tiger allows us to easily analyze security risks and eliminate them as they arise.