tigercron - Cron utility for Tiger UNIX Security Checker
] [-B basedir
is used to run periodically checks from the Tiger UNIX Security
reads a control file which is usually located in
'/etc/tiger/cronrc' although it can also be specificied as the first argument
when calling the program. The format of this control file is the same as for
program, each line indicates when different checks from
will be run. The user can indicate where Tiger is installed
through the -B basedir
parameter, any other additional options provided
in the command line will be passed on to configure to configure Tiger
based on them (as described in tiger (8)
runs the specified checks and compares their reports with
previous stored reports (under /var/log/tiger). It will then mail the user
defined in '/etc/tiger/tigerrc' ( Tiger_Mail_RCPT
) the results.
When a module is run, tigercron
- If Tiger_Cron_Template is set to Y in tigerrc. If it
is, it checks if there is a template stating which are the expected
- If Tiger_Cron_CheckPrev is set to Y in tigerrc. If
it is, it checks if there is a previous run of the module it can check
A differential report is generated depending on the module reports and previous
run and is sent through e-mail. These reports provide an easy way to detect
intrusions even if no configuration of templates has been done. In the event
of an intrusion a Tiger
check might detect something specific (file
changes, new processes, new users, etc.) and this alert mechanism provides a
way to turn Tiger
into a Host Intrusion Detection System (HIDS).
The ability of it to work as a proper HIDS is based on a good customization of
the cronrc file. Modules that check events to which the host is most exposed
to should be run often in order to detect deviations from normal behaviour.
uses the same options as Tiger
. A controlfile can be
defined also to override the default.
- Configuration file for the Tiger tool.
- Configuration file for the Tigercron tool.
- Location of the log messages generated by Tiger when
run through cron
- Working directory used by Tiger scripts to create
The deficiencies of using tigercron
as a HIDS are described in the file
README.hostids which is provided with the package. In Debian GNU/Linux you
will find this (and other related) documentation at /usr/share/doc/tiger/
has only one alert mechanism (mail) and signatures
are not supported. Thus, alerts could be faked. Also, it is dependant on
and will not work if cron
is not working.
This manpage was written by Javier Fernandez-Sanguino.