Tiger
Overview
Tiger is a comprehensive security audit tool for UNIX and Linux systems that performs automated security checks, analyzes system configuration, and detects intrusion attempts. It examines user accounts, file systems, network services, and system logs to identify security vulnerabilities and suspicious activities.
Tiger runs as a scheduled daemon or manual audit tool, generating detailed reports on system security posture. It’s particularly useful for compliance audits, baseline establishment, and continuous monitoring.
Installation
Package Manager (Kali Linux)
sudo apt-get update
sudo apt-get install tigerManual Installation from Source
git clone https://github.com/tiger-tools/tiger.git
cd tiger
./install.shDocker Deployment
docker run -v /etc:/etc:ro kalilinux/kali-rolling tiger -BBasic Usage
| Command | Purpose |
|---|---|
tiger | Run comprehensive system audit |
tiger -B | Generate binary database for comparison |
tiger -w | Write audit report to file |
tiger -c config_file | Use custom configuration |
tiger -l logdir | Specify log directory location |
tiger -x | Examine specific areas only |
Core Security Checks
System Configuration Analysis
# Run full Tiger audit
tiger -B
# Generate baseline database
tiger -B -w
# Compare current system to baseline
tiger -c /etc/tiger/tiger.confCustom Configuration
# Create custom Tiger configuration
sudo nano /etc/tiger/tiger.conf
# Enable specific checks
DOCHK_FILE='Y' # File permissions check
DOCHK_PASSWD='Y' # User/password check
DOCHK_NETWORK='Y' # Network audit
DOCHK_ROOTKIT='Y' # Rootkit detectionAudit Reports
| Report Section | Description |
|---|---|
| Files & Permissions | Dangerous file permissions, world-writable files, SUID/SGID binaries |
| User Accounts | Weak passwords, duplicate UIDs, unauthorized shells, dormant accounts |
| Network Services | Open ports, running daemons, listening services, suspicious connections |
| System Logs | Failed logins, root access attempts, system errors, suspicious patterns |
| Filesystem | Unmounted filesystems, unusual directories, inode anomalies |
| Rootkits | Signs of rootkit installation, hidden processes, modified binaries |
Generating Detailed Reports
# Full audit with verbose output
tiger -B -w -v
# Generate HTML report
tiger -B -w -f html
# Create baseline for comparison
tiger -B -w baselineFile System Security
Check SUID/SGID Binaries
# Scan for setuid binaries
tiger -B | grep -i suid
# Find all SUID executables
find / -perm /4000 -type f 2>/dev/nullWorld-Writable File Detection
# Tiger automatically checks for world-writable files
tiger -B -w
# Manual world-writable scan
find / -perm -002 -type f 2>/dev/nullFile Integrity Monitoring
# Create baseline of critical files
tiger -B -w /etc /usr/bin
# Monitor for changes
tiger -B -l /var/log/tigerUser Account Security
Audit User Accounts
# Tiger checks user accounts automatically
tiger -B -w
# Manual password policy review
cat /etc/login.defs | grep PASS_
# Check for dormant accounts
lastlog -b 30Identify Suspicious Users
# Find users with UID 0 (root)
awk -F: '$3 == 0 {print $1}' /etc/passwd
# Check for null-password accounts
awk -F: '($2 == "" || $2 == "!" || $2 == "!!") {print $1}' /etc/shadowNetwork Security Analysis
Port and Service Audit
# Tiger network checks
tiger -B -w
# View Tiger's network analysis
cat /var/log/tiger/[report].txt | grep -i networkListening Service Detection
# Check all listening services
netstat -tlnp | grep LISTEN
# View network connections in Tiger report
tiger -B -w | grep "port\|service"Rootkit Detection
Enable Rootkit Scanning
# Configure Tiger for rootkit detection
echo "DOCHK_ROOTKIT='Y'" | sudo tee -a /etc/tiger/tiger.conf
# Run rootkit checks
tiger -B -wSystem Call Anomalies
# Check for kernel module anomalies
lsmod | wc -l
# Examine suspicious modules
lsmod | grep -v 'Used by'
# Compare process visibility
ps aux | wc -lLog Analysis
Review Tiger Findings
# View latest Tiger report
sudo tail -f /var/log/tiger/security.report
# Search for critical findings
grep -i "critical\|alert" /var/log/tiger/security.reportFailed Login Attempts
# Tiger analyzes auth logs automatically
tiger -B -w
# Manual failed login review
grep "Failed password" /var/log/auth.log | tail -20
# Count failed attempts by user
grep "Failed password" /var/log/auth.log | awk '{print $9}' | sort | uniq -cScheduling Automated Audits
Cron Job Setup
# Add Tiger audit to crontab
0 2 * * * /usr/sbin/tiger -B -w -l /var/log/tiger
# Daily morning security report
0 8 * * * /usr/sbin/tiger -B -w | mail -s "Tiger Audit" admin@example.comSystemd Timer
# Create Tiger audit service
sudo nano /etc/systemd/system/tiger-audit.service
[Unit]
Description=Tiger Security Audit
After=network.target
[Service]
Type=oneshot
ExecStart=/usr/sbin/tiger -B -w -l /var/log/tiger
User=root
# Create timer unit
sudo nano /etc/systemd/system/tiger-audit.timer
[Unit]
Description=Run Tiger Audit Daily
[Timer]
OnCalendar=daily
OnCalendar=*-*-* 02:00:00
[Install]
WantedBy=timers.target
# Enable timer
sudo systemctl enable tiger-audit.timer
sudo systemctl start tiger-audit.timerComparison and Baseline Management
Creating and Using Baselines
# Create initial baseline
tiger -B -w baseline
# Create comparison database
tiger -B -w current
# Generate difference report
tiger -B -w comparison > baseline_diff.txtIncremental Auditing
# Quick incremental audit
tiger -i
# Focused checks only
tiger -B -x /etc /usr/bin
# Generate minimal report
tiger -B -w -qIntegration and Advanced Usage
Syslog Integration
# Configure Tiger to send logs to syslog
echo "SENDREPORT_CMD='logger -t tiger'" | sudo tee -a /etc/tiger/tiger.conf
# Monitor Tiger messages
sudo tail -f /var/log/syslog | grep tigerCustom Checks
# Create custom check script
sudo nano /etc/tiger/check.local
#!/bin/bash
# Custom security checks
find / -name ".ssh" -perm -004 2>/dev/null
# Make executable
sudo chmod +x /etc/tiger/check.local
# Run with custom checks
tiger -B -wIntegration with SIEM
# Export Tiger findings in syslog format
tiger -B -w -f syslog > tiger_events.log
# Parse and forward to SIEM
cat tiger_events.log | nc siem.local 514Performance Tuning
Limit Scan Scope
# Audit specific directories only
tiger -B -x /etc /usr/bin -l /var/log/tiger
# Skip slow checks
echo "DOCHK_NETWORK='N'" >> /etc/tiger/tiger.conf
# Reduce verbosity
tiger -B -w -qResource Management
# Run with nice priority
nice -n 10 tiger -B -w
# Limit scan to working hours
0 22 * * * /usr/sbin/tiger -B -w -qTroubleshooting
Common Issues
| Issue | Solution |
|---|---|
| Permission denied | Run as root: sudo tiger |
| No reports generated | Check log directory: ls -la /var/log/tiger/ |
| Slow scanning | Exclude large directories: tiger -B -x /home |
| Memory issues | Reduce check scope with -x flag |
| Cron not executing | Check crontab: sudo crontab -l |
Debug Mode
# Run with debugging enabled
tiger -d -B -w
# Verbose output
tiger -v -B -w
# Log all activities
tiger -B -w -l /var/log/tiger/debugSecurity Best Practices
- Regular Auditing: Run Tiger weekly or monthly depending on environment
- Baseline Establishment: Create and maintain security baselines
- Report Review: Regularly analyze and act on Tiger findings
- Access Control: Restrict Tiger report access to authorized administrators
- Logging: Centralize Tiger logs for compliance and forensics
- Updates: Keep Tiger current for latest security checks
Cross-Platform Compatibility
Tiger works on:
- Linux distributions (Debian, Ubuntu, RHEL, CentOS)
- BSD systems (FreeBSD, OpenBSD)
- Solaris/SunOS
- macOS (with limited functionality)
- UNIX variants
Resources
- Tiger Official: https://www.nongnu.org/tiger/
- Documentation:
/usr/share/doc/tiger/ - Configuration:
/etc/tiger/tiger.conf - Reports:
/var/log/tiger/
Tiger provides comprehensive automated security auditing for UNIX systems, making it essential for system hardening, compliance verification, and incident detection across enterprise environments.