Tiger

Overview

Tiger is a comprehensive security audit tool for UNIX and Linux systems that performs automated security checks, analyzes system configuration, and detects intrusion attempts. It examines user accounts, file systems, network services, and system logs to identify security vulnerabilities and suspicious activities.

Tiger runs as a scheduled daemon or manual audit tool, generating detailed reports on system security posture. It’s particularly useful for compliance audits, baseline establishment, and continuous monitoring.

Installation

Package Manager (Kali Linux)

sudo apt-get update
sudo apt-get install tiger

Manual Installation from Source

git clone https://github.com/tiger-tools/tiger.git
cd tiger
./install.sh

Docker Deployment

docker run -v /etc:/etc:ro kalilinux/kali-rolling tiger -B

Basic Usage

Command	Purpose
`tiger`	Run comprehensive system audit
`tiger -B`	Generate binary database for comparison
`tiger -w`	Write audit report to file
`tiger -c config_file`	Use custom configuration
`tiger -l logdir`	Specify log directory location
`tiger -x`	Examine specific areas only

Core Security Checks

System Configuration Analysis

# Run full Tiger audit
tiger -B

# Generate baseline database
tiger -B -w

# Compare current system to baseline
tiger -c /etc/tiger/tiger.conf

Custom Configuration

# Create custom Tiger configuration
sudo nano /etc/tiger/tiger.conf

# Enable specific checks
DOCHK_FILE='Y'      # File permissions check
DOCHK_PASSWD='Y'    # User/password check
DOCHK_NETWORK='Y'   # Network audit
DOCHK_ROOTKIT='Y'   # Rootkit detection

Audit Reports

Report Section	Description
Files & Permissions	Dangerous file permissions, world-writable files, SUID/SGID binaries
User Accounts	Weak passwords, duplicate UIDs, unauthorized shells, dormant accounts
Network Services	Open ports, running daemons, listening services, suspicious connections
System Logs	Failed logins, root access attempts, system errors, suspicious patterns
Filesystem	Unmounted filesystems, unusual directories, inode anomalies
Rootkits	Signs of rootkit installation, hidden processes, modified binaries

Generating Detailed Reports

# Full audit with verbose output
tiger -B -w -v

# Generate HTML report
tiger -B -w -f html

# Create baseline for comparison
tiger -B -w baseline

File System Security

Check SUID/SGID Binaries

# Scan for setuid binaries
tiger -B | grep -i suid

# Find all SUID executables
find / -perm /4000 -type f 2>/dev/null

World-Writable File Detection

# Tiger automatically checks for world-writable files
tiger -B -w

# Manual world-writable scan
find / -perm -002 -type f 2>/dev/null

File Integrity Monitoring

# Create baseline of critical files
tiger -B -w /etc /usr/bin

# Monitor for changes
tiger -B -l /var/log/tiger

User Account Security

Audit User Accounts

# Tiger checks user accounts automatically
tiger -B -w

# Manual password policy review
cat /etc/login.defs | grep PASS_

# Check for dormant accounts
lastlog -b 30

Identify Suspicious Users

# Find users with UID 0 (root)
awk -F: '$3 == 0 {print $1}' /etc/passwd

# Check for null-password accounts
awk -F: '($2 == "" || $2 == "!" || $2 == "!!") {print $1}' /etc/shadow

Network Security Analysis

Port and Service Audit

# Tiger network checks
tiger -B -w

# View Tiger's network analysis
cat /var/log/tiger/[report].txt | grep -i network

Listening Service Detection

# Check all listening services
netstat -tlnp | grep LISTEN

# View network connections in Tiger report
tiger -B -w | grep "port\|service"

Rootkit Detection

Enable Rootkit Scanning

# Configure Tiger for rootkit detection
echo "DOCHK_ROOTKIT='Y'" | sudo tee -a /etc/tiger/tiger.conf

# Run rootkit checks
tiger -B -w

System Call Anomalies

# Check for kernel module anomalies
lsmod | wc -l

# Examine suspicious modules
lsmod | grep -v 'Used by'

# Compare process visibility
ps aux | wc -l

Log Analysis

Review Tiger Findings

# View latest Tiger report
sudo tail -f /var/log/tiger/security.report

# Search for critical findings
grep -i "critical\|alert" /var/log/tiger/security.report

# Tiger analyzes auth logs automatically
tiger -B -w

# Manual failed login review
grep "Failed password" /var/log/auth.log | tail -20

# Count failed attempts by user
grep "Failed password" /var/log/auth.log | awk '{print $9}' | sort | uniq -c

Scheduling Automated Audits

Cron Job Setup

# Add Tiger audit to crontab
0 2 * * * /usr/sbin/tiger -B -w -l /var/log/tiger

# Daily morning security report
0 8 * * * /usr/sbin/tiger -B -w | mail -s "Tiger Audit" admin@example.com

Systemd Timer

# Create Tiger audit service
sudo nano /etc/systemd/system/tiger-audit.service

[Unit]
Description=Tiger Security Audit
After=network.target

[Service]
Type=oneshot
ExecStart=/usr/sbin/tiger -B -w -l /var/log/tiger
User=root

# Create timer unit
sudo nano /etc/systemd/system/tiger-audit.timer

[Unit]
Description=Run Tiger Audit Daily

[Timer]
OnCalendar=daily
OnCalendar=*-*-* 02:00:00

[Install]
WantedBy=timers.target

# Enable timer
sudo systemctl enable tiger-audit.timer
sudo systemctl start tiger-audit.timer

Comparison and Baseline Management

Creating and Using Baselines

# Create initial baseline
tiger -B -w baseline

# Create comparison database
tiger -B -w current

# Generate difference report
tiger -B -w comparison > baseline_diff.txt

Incremental Auditing

# Quick incremental audit
tiger -i

# Focused checks only
tiger -B -x /etc /usr/bin

# Generate minimal report
tiger -B -w -q

Integration and Advanced Usage

Syslog Integration

# Configure Tiger to send logs to syslog
echo "SENDREPORT_CMD='logger -t tiger'" | sudo tee -a /etc/tiger/tiger.conf

# Monitor Tiger messages
sudo tail -f /var/log/syslog | grep tiger

Custom Checks

# Create custom check script
sudo nano /etc/tiger/check.local

#!/bin/bash
# Custom security checks
find / -name ".ssh" -perm -004 2>/dev/null

# Make executable
sudo chmod +x /etc/tiger/check.local

# Run with custom checks
tiger -B -w

Integration with SIEM

# Export Tiger findings in syslog format
tiger -B -w -f syslog > tiger_events.log

# Parse and forward to SIEM
cat tiger_events.log | nc siem.local 514

Performance Tuning

Limit Scan Scope

# Audit specific directories only
tiger -B -x /etc /usr/bin -l /var/log/tiger

# Skip slow checks
echo "DOCHK_NETWORK='N'" >> /etc/tiger/tiger.conf

# Reduce verbosity
tiger -B -w -q

Resource Management

# Run with nice priority
nice -n 10 tiger -B -w

# Limit scan to working hours
0 22 * * * /usr/sbin/tiger -B -w -q

Troubleshooting

Common Issues

Issue	Solution
Permission denied	Run as root: `sudo tiger`
No reports generated	Check log directory: `ls -la /var/log/tiger/`
Slow scanning	Exclude large directories: `tiger -B -x /home`
Memory issues	Reduce check scope with `-x` flag
Cron not executing	Check crontab: `sudo crontab -l`

Debug Mode

# Run with debugging enabled
tiger -d -B -w

# Verbose output
tiger -v -B -w

# Log all activities
tiger -B -w -l /var/log/tiger/debug

Security Best Practices

Regular Auditing: Run Tiger weekly or monthly depending on environment
Baseline Establishment: Create and maintain security baselines
Report Review: Regularly analyze and act on Tiger findings
Access Control: Restrict Tiger report access to authorized administrators
Logging: Centralize Tiger logs for compliance and forensics
Updates: Keep Tiger current for latest security checks

Cross-Platform Compatibility

Tiger works on:

Linux distributions (Debian, Ubuntu, RHEL, CentOS)
BSD systems (FreeBSD, OpenBSD)
Solaris/SunOS
macOS (with limited functionality)
UNIX variants

Resources

Tiger Official: https://www.nongnu.org/tiger/
Documentation: /usr/share/doc/tiger/
Configuration: /etc/tiger/tiger.conf
Reports: /var/log/tiger/

Tiger provides comprehensive automated security auditing for UNIX systems, making it essential for system hardening, compliance verification, and incident detection across enterprise environments.