TIGER, or the ‘tiger’ scripts, is a set of Bourne shell scripts, C programs and data files which are used to perform a security audit of UNIX systems. TIGER has one primary goal: report ways ‘root’ can be compromised.
Debian’s TIGER incorporates new checks primarily oriented towards Debian distribution including: md5sums checks of installed files, location of files not belonging to packages, check of security advisories and analysis of local listening processes.
Install application :
sudo apt-get install tiger
Running tiger from commands :
tiger
Result :
root@hardy:/home/bearisusanto# tiger
Tiger UN*X security checking system
Developed by Texas A&M University, 1994
Updated by the Advanced Research Corporation, 1999-2002
Further updated by Javier Fernandez-Sanguino, 2001-2007
Covered by the GNU General Public License (GPL)
Configuring…
Will try to check using config for ‘i686′ running Linux 2.6.24-16-generic…
–CONFIG– [con005c] Using configuration files for Linux 2.6.24-16-generic. Using
configuration files for generic Linux 2.
Tiger security scripts *** 3.2.2, 2007.08.28.00.00 ***
16:13> Beginning security report for hardy.
16:13> Starting file systems scans in background…
16:13> Checking password files…
16:13> Checking group files…
16:13> Checking user accounts…
16:13> Checking .rhosts files…
16:13> Checking .netrc files…
16:13> Checking ttytab, securetty, and login configuration files…
16:13> Checking PATH settings…
16:13> Checking anonymous ftp setup…
16:13> Checking mail aliases…
16:13> Checking cron entries…
16:13> Checking ’services’ configuration…
16:13> Checking NFS export entries…
16:13> Checking permissions and ownership of system files…
–CONFIG– [con010c] Filesystem ’securityfs’ used by ’securityfs’ is not recognised as a local filesystem
–CONFIG– [con010c] Filesystem ‘fuse.gvfs-fuse-daemon’ used by ‘gvfs-fuse-daemon’ is not recognised as a local filesystem
–CONFIG– [con010c] Filesystem ‘fuse.gvfs-fuse-daemon’ used by ‘gvfs-fuse-daemon’ is not recognised as a local filesystem
16:13> Checking for indications of break-in…
–CONFIG– [con010c] Filesystem ’securityfs’ used by ’securityfs’ is not recognised as a local filesystem
–CONFIG– [con010c] Filesystem ‘fuse.gvfs-fuse-daemon’ used by ‘gvfs-fuse-daemon’ is not recognised as a local filesystem
–CONFIG– [con010c] Filesystem ‘fuse.gvfs-fuse-daemon’ used by ‘gvfs-fuse-daemon’ is not recognised as a local filesystem
16:13> Performing rootkit checks…
16:13> Performing system specific checks…
16:22> Performing root directory checks…
16:22> Checking for secure backup devices…
16:22> Checking for the presence of log files…
16:22> Checking for the setting of user’s umask…
16:22> Checking for listening processes…
16:22> Checking SSHD’s configuration…
16:22> Checking the printers control file…
16:22> Checking ftpusers configuration…
16:22> Checking NTP configuration…
16:22> Waiting for filesystems scans to complete…
16:22> Filesystems scans completed…
16:22> Performing check of embedded pathnames…
16:22> Security report completed for hardy.
Security report is in `/var/log/tiger/security.report.hardy.080730-16:13′.
The log contents :
Security scripts *** 3.2.2, 2007.08.28.00.00 ***
Wed Jul 30 16:13:16 WIT 2008
16:13> Beginning security report for hardy (i686 Linux 2.6.24-16-generic).
# Performing check of passwd files…
# Checking entries from /etc/passwd.
–WARN– [pass014w] Login (backup) is disabled, but has a valid shell.
–WARN– [pass014w] Login (bin) is disabled, but has a valid shell.
–WARN– [pass014w] Login (daemon) is disabled, but has a valid shell.
–WARN– [pass014w] Login (games) is disabled, but has a valid shell.
–WARN– [pass014w] Login (gnats) is disabled, but has a valid shell.
–WARN– [pass014w] Login (irc) is disabled, but has a valid shell.
–WARN– [pass014w] Login (libuuid) is disabled, but has a valid shell.
–WARN– [pass014w] Login (list) is disabled, but has a valid shell.
–WARN– [pass014w] Login (lp) is disabled, but has a valid shell.
–WARN– [pass014w] Login (mail) is disabled, but has a valid shell.
–WARN– [pass014w] Login (man) is disabled, but has a valid shell.
–WARN– [pass014w] Login (news) is disabled, but has a valid shell.
–WARN– [pass014w] Login (nobody) is disabled, but has a valid shell.
–WARN– [pass014w] Login (proxy) is disabled, but has a valid shell.
–WARN– [pass015w] Login ID sync does not have a valid shell (/bin/sync).
–WARN– [pass014w] Login (sys) is disabled, but has a valid shell.
–WARN– [pass014w] Login (uucp) is disabled, but has a valid shell.
–WARN– [pass014w] Login (www-data) is disabled, but has a valid shell.
–WARN– [pass012w] Home directory /nonexistent exists multiple times (2) in
/etc/passwd.
–WARN– [pass006w] Integrity of password files questionable (/usr/sbin/pwck
-r).
# Performing check of group files…
# Performing check of user accounts…
# Checking accounts from /etc/passwd.
–WARN– [acc021w] Login ID avahi-autoipd appears to be a dormant account.
–WARN– [acc006w] Login ID gdm’s home directory (/var/lib/gdm) has group
`gdm’ write access.
–WARN– [acc021w] Login ID libuuid appears to be a dormant account.
–WARN– [acc022w] Login ID nobody home directory (/nonexistent) is not
accessible.
# Performing check of /etc/hosts.equiv and .rhosts files…
….
….
etc
No comments:
Post a Comment