Tiger (security software)

Tiger is a Unix-like is a security tool that can be use both as a security audit and intrusion detection system. It supports multiple UNIX platforms and it is free and provided under a GPL license. Unlike other tools, Tiger needs only of POSIX tools and is written entirely in shell language.

Tiger was originally developed by Douglas Lee Schales, Dave K. Hess, Khalid Warraich, and Dave R. Safford started Tiger in 1992 at Texas A&M University.^[1] It was written at the same time that COPS, SATAN and Internet Scanner were. Eventually, after the 2.2.4 version, which was released in 1994, development of Tiger stalled.^[2]

Three different forks evolved after Tiger: TARA (developed by Advanced Research Computing ^[3]), one internally developed by the HP corporation by Bryan Gartner and the last one developed for the Debian GNU/Linux distribution by Javier Fernández-Sanguino (current upstream maintainer).

These forks were merged on May 2002 and in June 2002 the new source code, now labeled as the 3.0 release, was published at the Savannah site. The 3.1 release was distributed in October 2002, it was considered an unstable release and included some new checks, a new autoconf script for automatic configuration, but mostly included fixes for bugs found after testing Tiger in Debian GNU/Linux and in other operating systems. Over 2200 lines of code and documentation were included in this release.

The release 3.2, was published in May 2003 and greatly improves the stability of the tool and also fixes some security founds found in it (including a buffer overflow in realpath).

The 3.2.1 release was published in October 2003 and includes a number of bug fixes, enhancements and new checks including: check_ndd (for HPUX and SunOS systems), check_passwspec (for Linux and HPUX) check_trusted (for HPUX), check_rootkit (which can interact with the chkrootkit tool), check_xinetd, and, finally, aide_run and integrit_run which provide new checks for integrity file checkers.

The 3.2.2 release was published in August 2007 and included many bug fixes, new checks and enhancements. It introduced support for Tru64, Solaris 8 and 9. This release also introduced the audit scripts, a collection of scripts originally written by Marc Heuse that can be used to do offline audits of systems by recovering all the needed information and putting it into an archive. Use these scripts together with security operating systems baselines or checklits.

The 3.2.3 release was published in September 2007 and is mainly a bug fix release and also including new features related to handling exotic filesystems in Linux included many bug.

Tiger has some interesting features that merit its resurrection, including a modular design that is easy to expand. It can be used as an audit tool and a host intrusion detection system tool.

Tiger complements IDS (from network IDS Snort), to the kernel (LIDS, or SNARE for Linux and Systrace for OpenBSD, for example), integrity checkers (many of these: aide, integrit samhain, tripwire...) and logcheckers, providing a framework in which all of them can work together. Tiger it is not a logchecker, nor it focused in integrity analysis. It is checks the system configuration and status.

The cronrc and tigerrc files are used for configuration.

• sgid_list
• signatures
• suid_list