File: USING

package info (click to toggle)
tiger 1%3A3.2.4~rc1-3
  • links: PTS, VCS
  • area: main
  • in suites: bullseye
  • size: 11,872 kB
  • sloc: sh: 15,065; ansic: 1,933; perl: 573; makefile: 328; sql: 38
file content (107 lines) | stat: -rw-r--r-- 5,046 bytes parent folder | download | duplicates (10)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107

Here's a quick "HOW TO" on using 'tiger'...

First:  Make sure you are using a 'tigerrc' file to your liking. This
        file is by default shipped with all checks enabled. You should
	probably edit it to enable only the checks you are interested
	in.

Second, for just a test run, it is *NOT* necessary to install 'tiger'.
Just 'cd' into the top-level tiger directory and run './tiger'.  This
will create a security report after some time (times vary based on system
size and extent of checking defined in 'tigerrc').

If you fix some things, and want to run just part of the system without
having to wait for the entire thing, you can run any of the scripts 
there standalone.  Just use './scripts/scriptname'.  The output will go to
stdout, so if you want to save it to a file, you'll need to redirect it.

A complete HTML report can be generated by using the '-H' option on the
tiger command line. This will generate a HTML report with hyperlinks to
the message text. If a HTML report is not desired, you can follow the
procedures below.

If you want more information on a particular message generated by 'tiger'
(or any of the scripts), you can use the 'tigexp' (TIGer EXPlain) facility.
You have three choices here.

First, if you just want more information on a specific message, just use
'./tigexp msgid', where 'msgid' is the text inside the [] associated with
each message.  For example, to obtain more information about:

--WARN-- [acc001w] Login ID backup is disabled, but still has a valid shell 
         (/bin/sh). 

one would use './tigexp acc001w'.

Second, if you want to insert the explanations in the report, you can
either run 'tiger' (or the individual scripts) with the '-E' option,
or if you have already run it, then use 'tigexp -F report-file'.  This
will write a copy of the security report to stdout, with explanations
inserted.

The third option is to generate a separate explanation file from a
report file.  To do this, use 'tigexp -f report-file'.  An explanation
report will be generated with message identifiers with each explanation.
This can be used when the report file has lots of repeated message ID's
and inserting explanations will increase the size of the report to
absurd proportions.


------------------------------------------------------------------------

Running 'tiger' regularly.

First: It still isn't necessary to "install" 'tiger'.  Installing it
is only a convenience.  If you do not install it, then it will be
necessary to either invoke 'tiger' (or the individual scripts) with
the '-B' option or 'cd' to the 'tiger' directory before running it.
The '-B' option informs the scripts where the top level 'tiger'
directory is (_B_asedir).

You have two options when running 'tiger' regularly.  The first is
to simply run 'tiger' out of cron.  Since on large systems, a full run
can take hours, this is probably not desirable.

The more desirable is to use 'tigercron'.  With 'tigercron', it is
possible to run the individual scripts spread out over a time period
(some can be run three times a day, others once a week or month).
In addition, 'tigercron' will (on some systems) e-mail a "change"
report to the specified person (in 'tigerrc').  The "change" report
will only contain "new" information and will only be mailed when
there *is* new information.

This can be helpful to make Tiger behave as a Host Intrusion Detection 
System (HIDS) but it has some caveats, make sure to read README.hostids
if your intention is to use Tiger in this way.

------------------------------------------------------------------------

Installing 'tiger'.  If you do decide to install 'tiger', you can
use the provided './configure' script. This script generates modifies
the 'tiger', 'tigercron', 'config' and 'Makefile' file and sets the Tiger
directory so that they can run properly once installed. You can run
the 'configure' script with the following options (check 
'./configure --help'):

  --with-tigerhome=LOCATION       Location of all Tiger files 
                                  (default /usr/local/tiger)
  --with-tigerconfig=LOCATION     Location of Tiger configuration files
                                  (default /usr/local/tiger)
  --with-tigerwork=LOCATION       Location of all the temporary files created 
                                  by Tiger
                                  (default /usr/local/tiger/run)
  --with-tigerlog=LOCATION        Location of all the logfiles created by Tiger
                                  (default /usr/local/tiger/log)
  --with-tigerbin=LOCATION        Location of the Tiger binaries
                                  (default /usr/local/bin)

Then just type 'make install'.  

NOTE NOTE NOTE: It is important that the destination
directory (TIGERHOME) is *NOT* be the same as the source directory
(where 'tiger' was extracted).  The Makefile currently doesn't have
the smarts (I'm not sure it has any) to handle such a situation and
will mangle TIGER horribly.
------------------------------------------------------------------------