NOTE: To read changes made to the Debian package (since August 23rd 2001) see the changelog.Debian file Changes (v 3.2.4) -------------------- - Fixed some bashisms in files: * systems/default/check_ndd, line 90. * systems/HPUX/check_passwdspec, lines 101, 108. - Fixed a problem in the sh script file scripts/sub/check_suid finding the owner of files. - Fixed warning messages in scripts/sub/check_nousrgrp to make them easier to ignore and add proper documentation for the warnings - Updated mailing lists info in README - Fixed a problem in delete() function to remove properly files in loop in initdef script. - Fixed a problem removing a temporary file in scripts/find_file script. - scripts/check_known: Fixed problems handling files with spaces or newline characters in their filename in /*/lost+found/ directories. - Added support for recognize simfs as local filesystem. - Improve documentation for tiger messages - Fixed a bashism problem with logical expression in /systems/HPUX/check_trusted - Added support to recognize fuse.ltspfs for ltspfs file system and ltsp-server in systems/Linux/2/gen_mounts script. -...More changes in progress... Changes (v 3.2.3) -------------------- - SECURITY FIX: Fix a temporary race condition in the genmsgidx script (only affects those that build the code in untrusted systems) - Added support for more local and non-local filesystems in Linux gen_mounts: reiser4, securityfs, fuse.gvfs-fuse-daemon, fuseblk, fuse.truecrypt, fuse.encfs, debugfs, afs, configfs, gfs, gfs2, inotifyfs, hugetlb, subfs, futexfs and bind. - Added a new configuration variable in tigerrc (Tiger_FSScan_WarnUnknown) that allows administrators to disable the warning related to unknown filesystems and modified gen_mounts to make use of it. The default behaviour (in the provided tigerrc and in the code), if the variable is not set is to warn admins since unknown filesystems might be a security issue (rootkit?) - Add new variables in tigerrc: * Tiger_FSScan_Local: if set, filesystems defined in it will be considered local and will always be analysed. * Tiger_FSScan_NonLocal: ff set, filesystems defined in it will be considered non-local and will not be analysed. This allows administrators to add there esoteric filessystems in use so that they can work around the 'unknown filesystem' report generated by gen_mounts until it gets updated upstream. - Fix the main Makefile so that the code gets compiled when running 'make all' - Add a new Makefile to the doc/ subdirectory so that the contents get built and removed and no autogenerated content is distributed. This subdirectory is called from the main Makefile. - Use tempfile if available in the configuration step, although we work in WORKDIR and we are safe there - Make tigercron POSIX compliant so it works in any shell, not just bash - The 'gen_cron' script for Linux now handles properly the case when the special @daily,@reboot, etc. definitions are used instead of real times. - Scripts changes: * check_apache:Fix the way the configuration file is handled to obtain the IP address and port (Debian bug #436904) * check_crontags, check_xinetd, check_apache: Change message calls so that they can be filtered * find_files: Only check local filesystems * systems/Linux/2/deb_checkmd5sums: use prelink if available Changes (v 3.2.2) ---------------- - Applied patches from Ryan Bradetich to fix Makefiles in HPUX - Fixed bashisms in scripts - Fixed YPCAT calls - Added the audit scripts collection (audit/ subdir). These scripts extract information for a given operating system for offline review and have been provided by Marc Heuse and improved by me. For more information see the README file in that dir. Supported OSes: - AIX (tested in 4.x and 5.x) - Debian GNU/Linux - HPUX 10/11 - Nokia IPSO - ORACLE - RedHat GNU/Linux - Slackware - Solaris - SuSE Linux - Windows XP/2000/2003 - Added support for a check.d directory where administrators can dump scripts and have Tiger run them periodically - Small improvements to the messages's documentation. Including fixes to some error Ids which were not correct - Documentation improvements: explain new options and behaviour in the manpages, overall improvements to text files provided in sources. - Fixed scripts: check_accounts, check_aliases, check_anonftp, check_crontabs, check_devices, check_embedded, check_exports, check_finddeleted, check_ftpusers, check_group, check_inetd, check_known, check_listeningprocs, check_logfiles, check_netrc, check_passwd, check_passwdformat, check_path, check_printcap, check_rhosts, check_root, check_rootdir, check_rootkit, check_runprocs, check_sendmail, check_services, check_ssh, check_system, check_tcpd, check_umask, check_xinetd, find_files (Over 60 reported bugs fixed) - New checks: check_ntp, check_omniback, (Linux-specific) check_xinetd, - Many fixes in HPUX and Linux checks. - Added support for Solaris 8 and Solaris 9. New checks: - 'check_listeningproces' check for this OS too (uses pfiles instead of lsof) - 'check_patches': uses a patchdiag.xref file to look for missing patches - Added Tru64 support - Added HPUX-specific tigerrc file - Added spec file to build RPM packages - Move checks that need to be done to a TODO.check file Changes (v 3.2.1) ---------------- - New checks: - check_ndd (for HPUX and SunOS systems) - check_passwspec (for Linux and HPUX) - check_trusted (for HPUX) - check_rootkit - check_xinetd - aide_run and integrit_run as new (alternative) integrity file checkers (contributed by 'unspawn') - Improved/Fixed checks: -check_apache -check_devices (patch from Ryan Bradetich) -check_exports -check_finddeleted (patch from Nicolas François) -check_ftpusers -check_group -check_inetd -check_known -check_listeningprocs (patch from Nicolas François) -check_netrc -check_passwd -check_path -check_patch -check_passwdformat -check_perms -check_rhosts -check_root -check_services -check_signatures -check_tcpd -check_umask -crack_run -tripwire_run (Linux) check_inittab, check_rcumask, deb_nopackfiles (patch provided by Nicolas François), check_accounts (thanks to Nicolas François), deb_checkmd5sums (improvements by Nicolas François) - Other check changes: - check_cron moved to check_crontabs - removed SunOS check_networkconfig in favour of the new check_ndd - Default Tigerrc has been modified to account for the new checks - Applied Ryan Bradetich's patches for HPUX support and to some of the checks (check_accounts, check_passwd, check_rootdir - Added CERT's Unix security checklist comparison so users or admins can check which checks does Tiger implement automatically. - Fixed issue with tigercron, did not work as advertised - Fixed syntax errors in grep calls - Modified SunOS config file to look for the MAILSPOOL in /var/mail - Tiger now uses a function (run_script) to run either the scripts in the $SCRIPTDIR or system-specific scripts if available. This allows developers to create more specific checks for a given OS and have them override the generic scripts. - Review of temporary file creation in all files including the creation of a new function (safe_temp) to handle temporary file usage. - Included a RedHat spec file to create rpm packages (contributed by 'unspawn') - New utilities: mkfilelst - Full integration with TARA 3.0.3 including: * Update of all SunOS 5 checks based on ARSC's implementation in TARA * Preliminary MacOSX implementation based on ARSC's implementation in TARA * New check_rookit check * Improvements in checks - Tiger now can generate signatures for new systems - Tiger now shows usage - Updated manpages for tiger and tigexp - Removed Debian-specific checks from the default cronrc file and instead call 'check_system. Added new checks to the cronrc file - Updated documentation in README files - Added still more TODOs - Fixed Makefile (some checks were not getting installed) - Added sources for SGI security information in README.sources. - Added tigercron manpage. - Removed duplicated checks from cronrc - Improved variable checks in initdefs and applied patches from Ryan Bradetich and Nicolas François - Added some new configuration directives to site_sample - Included check_ssh in the checks run by Tiger - Fixed doc/accounts.txt - Fixed UUID definition in configuration files for most OS. - Fixed difflogs util with patch from Nicholas François and properly sort reports. - Fixed util/genmsgidx with patch from Nicholas François Changes (v 3.2) ---------------- - Added a roadmap to the TODO - Tiger will now output to the report the time of completion - Fixed Linux/2/check (Debian checks were not executed) - Removed stale files (*org-2.2.3) - Updated tigerrc files (-all and -dist). Removed stale file not being used anymore - Added some references in README.sources - Makefile will install the C binaries after compiling (modified 'all' target) - Preliminary 'distribution' target in Makefile - Added yet more TODOs - Added a -q (quite) option to config to be used by tigercron (avoids cron sending emails of nothing has changed, no need to redirect output) - Modified config to not output messages if -q is set (still need to modify tiger to use it too) - Added checks that have been segmented and are new into tiger and tigerrc (check_passwdformat, check_nisplus, check_apache, check_printcap, check_exrc, check_sendmail, check_printcap) - Fix of Tiger_Check_ETCISSUE in tiger which made the check run always. - Removed useless echo from tigercron - Included preliminary version of checks: aide_run, integrit_run (the last one was in the tar.gz but not in CVS) - Fixed Steve's name in the realpath.c note - Added Debian's changes from the 'experimental' area including the changelog and the change to the cron.d file - Created some scripts to check for issues in the source code, including script dependancies. - Fixed missing or improper dependancies in a number of scripts: check_accounts, check_aliases, check_anonftp, check_cron, check_devices, check_embedded, check_exports, check_finddeleted, check_ftpusers, check_group, check_inetd, check_issue, check_known, check_listeningproc, check_printcap, check_rhosts, check_root, check_services, check_tcpd, check_umask, crack_run, tripwire_run, and Linux's check. - Fixed PWCK behavior in check_passwd. - Added notes on behavior of check_sendmail, modified it to run only if SENDMAIL-CF exists. - Moved Debian-specific checks from check.tbl (would cause errors in non-Debian Linux distributions) to 'check' and modified it so that they will only run if distribution=Debian - Changed Linux's check_listeningprocs Tigerinstalldir to '.' - Added MD5 to Linux' config - Fixed bug in gen_cron which makes it output to STDERR if any of the SPOOL directories are empty - Fixed util/mksig to cread @DEST and @ORIG definitions, removed unnecessary dependancies, and added missing commands. (23 April 2003 - rc3) - [security] Applied Steve Grubb's patch to avoid a buffer overflow in realpath - Changed the behaviour of autoconf to avoid messing with binaries in the source copy. - Improved the Makefile: - better segmentation on targets (for testing and error checking) - follows better GNU's standards (including use of DESTDIR) - binaries and config are sed' on installation - missing (new) scripts have been included - removed config-local target (no sense ATM) - Fixed tigercron (removed CONFIGDIR and added some sanity checks) - Added sanity checks to Tiger_Accounts_Trust (22 April 2003 - rc2) - Makefile changes: - now installs WORK and LOGS dir as 700 - new targets (mantainerclean, config, config-local, distclean) - config modified to: - _only_ use hostname -f with Linux - hostname check is done after Tiger_Output_FQDN is defined - determine location of RCFILE and IGNOREFILE properly so that cli arguments can change them - configure now sets ${prefix} - Fixed ignore mechanism (wasn't working at all due to missing quotes) - Debian packaging fixes (14 April 2003 - rc1) - New ignore mechanism for all modules through the ignore_message function in initdefs provides a way for administrators to configure (with extended regular expressions) messages that no modules of Tiger will report (wether run in a full run or through a cron job). This helps administrator improve Tiger output and remove spurious errors or false positives (like the DNS UDP listeners reported by check_listeningprocs) - Updated the README and USING files with current information on how to run/install Tiger - Updated the README.linux file - Updated the README.hostids file - Wrote a new README.ignore file explaining the new mechanism - Fixed configuration so that the -f option is not used on non-Linux systems ('hostname -f' is not an option available in some of them and this breaks Solaris!) - Modified Linux' configuration file in order to work with new checks - Modified Linux' configuration file so that LSGROUPS is set properly depending on the fileutils version (enables Tiger to be used in Debian's 'woody' by fixing, at least, this know issue) - Fixed the check_inittab script for linux (did not look for the proper string!) - Improved the check_logfiles check in order to check also for logfile permissions and to be more flexible depending on OS. - Modified some of the util/ scripts: . Linux call is modified to return the proper value in gethostinfo . LS and AWK are no longer hardcoded in getpermit . [security] 'installsig' has been modified so that the DESTDIR in the file cannot be use to run local commands through 'eval' - Added missing HPUX config file - Added "new" signatures for Sun from TAMU New checks: - scripts/check_deleted: detects processes or services (servers) using deleted files. It is based on Brian Hatch's article on deleted files and the article "The Upgrade Process: Restarting vs Rebooting." published at hackinglinuxexposed.com. - scripts/check_services: derived from check_inetd, so that it only checks for service information - scripts/check_umask: derived from check_logfiles, check for user's umask. - scripts/check_passwdformat: Checks format of password files to determine if there is any inconsitency - scripts/check_apache: checks configuration of the Apache web server - scripts/check_exrc: checks for .exrc files (which might be loaded by a user inadvertendly when running some editors - Linux/2/check_network_config: checks for the values of the network configuration in order to determine if the system is susceptible to some attacks - Solaris/5/5.8/check_listeningprocs: preliminary version for Solaris to detect which processes/user are opening inbound sockets (note that NETSTAT will not provide process or user information and LSOF might not be available in all systems) - HPUX/check_ftpusers: new version of the check_ftpusers script. This one is specific for HPUX and has been contributed as a patch at Savannah. It does not do the same check as the generic one, and users might want to use this or the other one. - Solaris/5/check_network_config: preliminary version for Solaris to detect the network configuration parameters (stills need to be tested) - HPUX/check_network_config: preliminary version for HPUX of the same script Changes (v 3.1) 10/09/2002 --------------------------- New autoconfiguration stuff so that users can customize how to run Tiger (it can now be run from the local dir, that is, the directory it has been untarred to or any other dir). Default is /usr/local/tiger. See configure.in for more information. Fixes due to testing in Solaris. Mainly bashisms, but also some new tests for Solaris (not activated by default) as well as fixes for HP-UX. Fixes include check_accounts, check_devices, check_ftpusers, check_issue, check_known, check_listeningprocs, check_logfiles, check_netrc, check_passwd, check_passwd, check_rhosts, This Solaris testing has also derived new Solaris 5.8 and Solaris 5 configuration scripts. This new upstream version includes a new check_loginlog for Linux (based on SuSE's) as well as a preliminary version of check_patches for Solaris. check_listeningprocs using LSOF *and* NETSTAT has been moved to Linux (the version for any other OS uses only 'lsof' since 'netstat' is not standarised) Tigexp does not regenerate messages unless being run by root (so that common users do not get a warning if they run 'tigexp') Changes (v 3.0) 07/26/2002 --------------------------- New upstream release. Includes a lot of new checks for Linux (developed for the Debian GNU/Linux distribution) and also includes TARA's and HP's fixes. This new upstream is distributed through savannah.gnu.org (look for CVS sources there too). The full changes description can be found in the Debian changelog (debian/changelog in the source dir) and span from the 2.2.4-1 to the 2.2.4p2-5 Debian packages. Changes 09/07/99 ------- Fixed to work with SUSE and TurboLinux Changes 06/02/99 ------- Developed a new tigerrc to support customer's security checklist. More extensive tigerrc is in tigerrc-dist. Fixed bug in check_root for Linux boxes. Updated systems service file. Changes 05/30/99 ------- Developed HTML output capability (tiger -H). Fixed systems files for SunOS and IRIX Changes 04/20/99 ------- Corrected numerous small bugs in scripts. Updated the systems directories to reflect current OS configurations for Linux, SunOS, and IRIX and default. Cleaned up the output a bit. --- Advanced Research Corporation Changes 03/09/94 ------- Fix to ./scripts/sub/check_embed. This was disabling the check_embedded script. New Stuff 01/06/94 --------- Updated signature files for SunOS 4.x and SunOS 5.x. Bug fixes... If the current directory is a descendant of a directory for which the user does not have 'read' permissions (i.e., search only), then csh and find do not always work. Workaround is to 'cd /' where necessary. Not sure this has been completely implemented. typo in scripts/sub/check_devs (Multiple people) scripts/sub/check_devs exited if GENCLIENTDIRS undefined (Sally Noonan). -x 'test' switch is not portable. (Sally Noonan) AIX doesn't need '-g' (Dorian Deane) IRIX test doesn't shortcircuit (Steve Rikli) IRIX config had wrong definition for DATECMD and TIMECMD (Steve Rikli) Crude 'smrsh' check performing poorly (Patrick Nolan & Mohamed el Lozy) Changes for performance and robustness, as suggested by Goran Larsson. A C program is used to get file ownership and permissions instead of 'ls | awk'. (If the C program won't compile, we fall back to 'ls | awk'. Changes to check_anonftp for performance. Added -c switch to allow specifying alternate 'tigerrc' script (John Reynolds) 'tigexp' loses command line parameters on NeXT 3.0 (Kelly Cunningham) Added ethernet device files to check list for SunOS 5 (was already there in SunOS 4). Also inspects /var/sadm/install/contents to check the perms there so that they don't get accidentally changed back. New Stuff 10/31/93 --------- Mailling list available. See the README file for more information. Support for TAMU Linux distribution, may work on other Linux' as well. Updated signatures for SunOS 4.x & SunOS 5.x for security patches. 'installsig' script for installing new signature files (util/installsig). We will try to maintain up to date security patch signature files in the directory net.tamu.edu:/pub/security/TAMU/tiger-sigs. Note that at present, only SunOS 4.x and SunOS 5.x are being actively maintained (not that there is a bias here, it is just easier for me to get information on these... contributions will be welcomed). Various minor bug fixes relating to various platforms. Fixed check_suid to handle MD5 signatures. check_embedded now will optionally wait for the file system scans to complete and will check all setuid executables found for "bad" embedded pathnames. See 'tigerrc' for configuring details. New Stuff 08/17/93 --------- Script for checking embedded pathnames. The other scripts collect filenames which are then fed into the check_embedded script. This checks the ownership and permissions of all of these embedded pathnames. Be warned... this can generate *lots* of output. Pathname checking is now much more complete. Every "problem" is reported in detail, instead of saying "Hey, there's a problem with this pathname". 'tigercron' should work a lot better now. Script for checking BSD printcap printer control file. Signatures for IRIX 4.0.5*, thanks to Steve Rikli. Signatures for NeXTOS 3.1, thanks to William McVey, et al. Cleaned up output... much of the output now gets formatted to (default) 80 columns. Digital signature checking now works with SNEFRU or MD5. Automagically detects which signature to generate. Signature checking is a lot faster now, especially if you have a clean system (the signature database is ordered such that the "good" signatures are first). Interface to 'password' generator scripts changed so that the generator scripts can do sanity checking on the base files. Interfaces to all of the other generator scripts will be changed in next release. Makefile for installing everything. I'm not happy with the installation process this time either... if anyone wants to contribute a snazzy installation script I'll be happy to include it... New Stuff 06/17/93 --------- First off, there are some man pages in the 'man' directory. They are definitely lacking. If I ever stop adding stuff to the package, maybe I will be able to write better documentation. ******** Explain facility. All messages (should) have a message ID associated with them in square brackets []. The script 'tigexp' can be used to get an explanation of the message. Some (many?) of the explanations are lacking. You can also insert the explanations into the output of 'tiger' by using the '-e' flag. If anyone has suggestions or improved explanations, don't hesitate to send them to me. ******** Crack 4.1 interface. 'tiger' will now run Alec Muffett's password cracker 'Crack'. See the 'tigerrc' file and 'site-sample' file for information on enabling it (it is disabled by default). ******** Systems: SunOS 4.1.1 sun3, 4.1.1 sun4, 4.1.2, 4.1.3, 5.1, 5.2 sun4 NeXT 3.0 There, but untested (and I do mean untested). You can try them, but they have *never* been used, so I have no idea what to expect. Some parts are missing (i.e., no signature files). AIX 3.x (if this one works... any idea why so many setuid's on AIX 3?) HPUX (probably anything up to 9.x) IRIX 4.x UNICOS 6.x 7.x (if those pesky users didn't use the machine so much...) ******** More checks. A few of the additions since the last release are: check_aliases: Check mail aliases for problems. check_cron: Check 'cron' entries for problems. check_group: Cross reference 'group' files for problems. check_passwd: Cross reference 'passwd' files for problems. check_path: Check 'root' (and optionally all users) PATH for problems. In addition all previous scripts have been beefed up with many more checks. File Permission databases have been improved (though they still need more work). Scripts which check the path to executables and files now check the pathname thoroughly, even in the face of symbolic links. The file system scans now report device files, world writable directories, symbolic links to system files, in addition to setuid executables. Also the setuid checks now attempt to determine if a setuid program is an old version of a binary for which a security patch was released (i.e., it was moved out of the way, but never deleted or chmod'd, and hence may still be a security problem). For servers of diskless or dataless clients, some "quick" checks of the clients can be performed on the server (see man/tiger.man). Not everything can be checked. Plus, support is not complete. It is possible to install 'tiger' now so that you don't have to feed it all the names of the directories on each invocation. Just run 'Install'... it will prompt for names. 'tigercron' provides a simple-cron facility with report differencing capability and mailing of reports. This is just started and needs more work to be really useful. See the 'cronrc' file for a sample input to it. Checks for the availability of a utility commands have been moved nearer to where they are actually needed (as opposed to having them at the top of each script). This enables more checks to be performed when only a few commands are missing. All cleanup of scratch files goes through the 'delete' routine which won't delete a file that isn't in the scratch work directory. This is to prevent programmer errors from zapping the wrong file [what? programmer errors? Never... :)] Some more C code added. Handling of obtaining a compilation of the source improved. For casual use, nothing need be done. The C code will be compiled and installed in the Bindir (TIGERHOME/bin by default). For regular use, or use in a large group of systems, sharing the tiger directories, the binaries can be compiled and stored in the respective system directories. The scripts will use the binary directly from that directory. The Solaris 2.x (SunOS 5) directory provides precompiled binaries (no C compiler by default). Finally, if you try to run this on a system with an old or broken Bourne shell, or one without functions, have a peek at util/setsh. This will change all the '#!' headers to some other shell (i.e. ksh or bash). Note that 'tiger' has never been run under either of these, but it might be worth a shot.