Login or Register to Ask a Question and Join Our Community

Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

tigercron(8) [debian man page]

TIGERCRON(8)						      Administrator Commands						      TIGERCRON(8)

NAME

       tigercron - Cron utility for Tiger UNIX Security Checker

SYNOPSIS

       tigercron [controlfile] [-B basedir] [tigeroptions...]

DESCRIPTION

       Tigercron  is used to run periodically checks from the Tiger UNIX Security Checker. Tigercron reads a control file which is usually located
       in '/etc/tiger/cronrc' although it can also be specificied as the first argument when calling the program.  The format of this control file
       is  the	same as for the cron program, each line indicates when different checks from Tiger will be run.  The user can indicate where Tiger
       is installed through the -B basedir parameter, any other additional options provided in the command line will be passed on to configure	to
       configure Tiger based on them (as described in tiger (8)).

       Tigercron  runs	the specified checks and compares their reports with previous stored reports (under /var/log/tiger). It will then mail the
       user defined in '/etc/tiger/tigerrc' (Tiger_Mail_RCPT) the results.

       When a module is run, tigercron checks:

       o   If Tiger_Cron_Template is set to Y in tigerrc. If it is, it checks if there is a template stating which are the expected results.

       o   If Tiger_Cron_CheckPrev is set to Y in tigerrc. If it is, it checks if there is a previous run of the module it can check against.

       A differential report is generated depending on the module reports and previous run and is sent through e-mail. These  reports  provide	an
       easy  way to detect intrusions even if no configuration of templates has been done. In the event of an intrusion a Tiger check might detect
       something specific (file changes, new processes, new users, etc.) and this alert mechanism provides a way to turn Tiger into a Host  Intru-
       sion Detection System (HIDS).

       The ability of it to work as a proper HIDS is based on a good customization of the cronrc file. Modules that check events to which the host
       is most exposed to should be run often in order to detect deviations from normal behaviour.

OPTIONS

       Tigercron uses the same options as Tiger. A controlfile can be defined also to override the default.

FILES

       /etc/tiger/tigerrc
	      Configuration file for the Tiger tool.

       /etc/tiger/cronrc
	      Configuration file for the Tigercron tool.

       /var/log/tiger
	      Location of the log messages generated by Tiger when run through cron

       /var/lib/tiger/work
	      Working directory used by Tiger scripts to create temporary files.

SEE ALSO

       tigexp(8),tiger(8),cron(8),crontab(5)

       The deficiencies of using tigercron as a HIDS are described in the file README.hostids which  is  provided  with  the  package.	In  Debian
       GNU/Linux you will find this (and other related) documentation at /usr/share/doc/tiger/

BUGS

       Currently  Tigercron  has only one alert mechanism (mail) and signatures are not supported. Thus, alerts could be faked. Also, it is depen-
       dant on cron and will not work if cron is not working.

AUTHOR

       This manpage was written by Javier Fernandez-Sanguino.

Security							 19 September 2003						      TIGERCRON(8)

Check Out this Related Man Page

TIGEXP(8)						      Administrator Commands							 TIGEXP(8)

NAME

       tigexp - UNIX Security Checker Explanation Generator

SYNOPSIS

       tigexp msgid [msgid[msgid...]]

       tigexp [-f|-F] [security_report]

DESCRIPTION

       Tigexp is used to generate explanations of the output from the Tiger security checking package.	In the first form, tigexp will generate an
       explanation of each of the message ids listed.  In the second form, the security report specified will be scanned and  explanations  gener-
       ated.  The -f option will generate one explanation for each unique message id in the security report, whereas the -F option will output the
       security report with explanations inserted after each entry in the report.

       There are five different message levels produced by Tiger. Each of the message levels is the last letter of the message id. The levels are:

       ALERT  A message of this level indicates that Tiger has detected a possible intrusion attempt or  troublesome  misconfiguration	which  can
	      expose the whole system to attacks.

       FAIL   Messages of this level indicate a violation of a generic security policy or a possible intrusion. Appropriate action should be taken
	      to fix this security issue.

       WARN   Messages of this level indicate a security issue which should be checked further and might  indicate  a  probable  vulnerability	or
	      exposure. Most Tiger messages appear in this category.

       INFO   These  includes  information messages which are not necessarily a security violation but might be useful for the administrator. Note
	      that the tigerrc configuration file through the Tiger_Show_INFO_Msgs option determines whether or not Tiger shows these  items.  The
	      default behaviour is to not show them.

       ERROR  These  messages are errors in the execution of Tiger (or any of its scripts), this is probably due to a misconfiguration in the pro-
	      gram, because of a problem in the installation or because a file needed for the test is missing. The script who outputs  this  error
	      should be investigated further.

       CONFIG Messages with this level inform of stages in the configuration process of Tiger. They are not errors (otherwise ERROR would be used)
	      but notices for the user running the program explaining, for example, which configuration might be used.

   OPTIONS
       -f     Scan the indicated security report and generate explanations of it.  One explanation will be generated for each unique message id in
	      the security report.  If the name of a security report is not given, then the report is read from stdin.

       -F     Output the indicated security report with explanations inserted after each entry in the report.  If the name of a security report is
	      not given, then the report is read from stdin.

FILES

       $TIGERHOMEDIR/doc/explain.idx

SEE ALSO

       tiger(8)

BUGS

       If the explanation index is out of date, it doesn't recognize it and generates junk.

Security							  12 August 2003							 TIGEXP(8)
Man Page