Tigercron is used to run periodically checks from the Tiger UNIX Security Checker. Tigercron reads a
control file which is usually located in '/etc/tiger/cronrc' although it can also be specificied as the
first argument when calling the program. The format of this control file is the same as for the cron
program, each line indicates when different checks from Tiger will be run. The user can indicate where
Tiger is installed through the -Bbasedir parameter, any other additional options provided in the command
line will be passed on to configure to configure Tiger based on them (as described in tiger(8)).
Tigercron runs the specified checks and compares their reports with previous stored reports (under
/var/log/tiger). It will then mail the user defined in '/etc/tiger/tigerrc' (Tiger_Mail_RCPT) the
results.
When a module is run, tigercron checks:
• If Tiger_Cron_Template is set to Y in tigerrc. If it is, it checks if there is a template stating
which are the expected results.
• If Tiger_Cron_CheckPrev is set to Y in tigerrc. If it is, it checks if there is a previous run of the
module it can check against.
A differential report is generated depending on the module reports and previous run and is sent through
e-mail. These reports provide an easy way to detect intrusions even if no configuration of templates has
been done. In the event of an intrusion a Tiger check might detect something specific (file changes, new
processes, new users, etc.) and this alert mechanism provides a way to turn Tiger into a Host Intrusion
Detection System (HIDS).
The ability of it to work as a proper HIDS is based on a good customization of the cronrc file. Modules
that check events to which the host is most exposed to should be run often in order to detect deviations
from normal behaviour.
Install Now
Emojis
PNG Icons
