This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 165311 - Review Request: Tiger, security auditing on UNIX systems
Review Request: Tiger, security auditing on UNIX systems
Status: CLOSED NEXTRELEASE
Product: Fedora
Classification: Fedora
Component: Package Review (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Hans de Goede
David Lawrence
http://www.nongnu.org/tiger/
:
Depends On:
Blocks: FE-ACCEPT
  Show dependency treegraph
 
Reported: 2005-08-07 12:32 EDT by Aurelien Bompard
Modified: 2007-11-30 17:11 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-05-20 04:07:55 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Aurelien Bompard 2005-08-07 12:32:16 EDT
Spec : http://gauret.free.fr/fichiers/rpms/fedora/tiger.spec
SRPM : http://gauret.free.fr/fichiers/rpms/fedora/tiger-3.2.1-1.src.rpm
Description:
Tiger is a set of bash scripts to run automatic security audits and intrusion detection on Unix systems.
The project was abandoned since mid-90's, and got resurrected by one of the main Debian security developers (Javier Fernández-Sanguino).
It proved very useful many times on the Debian servers I manage, and I'm pretty sure it could be as useful on Fedora.

Since Tiger is very system-specific, it needs customization to integrate it into Fedora. Right now, I've only ported Javier's fixes and adaptations for Debian (which is a 20000+ lines patch...).
I'd like to make sure it works as this, and I'll add more Fedora-specific checks afterwards (such as "yum check-update", "rpm -V", and maybe even SELinux checks, there's much to do)

So here are the best ways you can review Tiger :
 - Check for packaging errors, as usual
 - Install it, tweak /etc/tiger/tigerrc a little, run "tiger" and tell me if you have error messages.
 - Tell me what false-positive alerts you get in the previous command so I can add them to /etc/tiger/tiger.ignore
 - Look into /etc/tiger/tiger.ignore and tell me if you think I've ignored something valid
 - Please review my one-liner patch for a C program not compiling with gcc4, as I really don't know C...
 - Tell me where Tiger could be better integrated into Fedora

When you run "tiger", all checks enabled in /etc/tiger/tigerrc are run. But there is also an automatic testing system, where the scripts are run at different times according to /etc/tiger/cronrc. If you can, please run each script in this crontab and tell me which false-positive you get.

One of Tiger's best features is to report only what's changed since the last run (configurable in /etc/tiger/tigerrc), but it does not mean we should not get rid of false-positives in the first place.
Comment 1 Oliver Falk 2005-08-10 10:10:50 EDT
Seems fine to me.
Comment 2 Aurelien Bompard 2005-08-10 12:13:59 EDT
Does that mean you approve the package ? If so please change the blocker bug to
FE-ACCEPT (bug 163779)
Comment 3 Matthias Saou 2005-08-15 12:24:38 EDT
I would suppose the comment was about the procedure you suggested. This seems
like it would be best discussed on fedora-devel or fedora-extras list in order
to fine tune the default configuration.
Comment 4 Kevin Fenzi 2006-01-29 14:14:54 EST
Not a review, but to attempt to restart discussion/interest. :) 

Package: 
- Builds ok on current devel

error messages from tiger: 
12:03> Checking password files...
/bin/sort: invalid option -- 3
Try `/bin/sort --help' for more information.
12:03> Checking group files...
/bin/sort: invalid option -- 3
Try `/bin/sort --help' for more information.
12:07> Checking for indications of break-in...
/usr/bin/tail: cannot open `+2' for reading: No such file or directory

Does the tiger.ignore file allow comments? If so, perhaps you could comment why
each thing should be ignored? Ie, something like: 

# Fedora uses a "mail" group to allow some access to /var/spool/mail. 
Login ID mail's home directory \(/var/spool/mail\) has group `mail' write access.

Is the package still being maintained? I don't see much activity on it's web
site (no mailing list posts this year), etc. Or is development taking place only
in debian? 

Comment 5 Hans de Goede 2006-01-31 16:08:50 EST
This sounds like an interesting package, I might be willing to help / do a
review. Can you for starters post a version which works on current FC-5 / has
the sort errors fixed.
Comment 6 Aurelien Bompard 2006-01-31 16:24:55 EST
Thanks for your help both of you. I'll fix the sort problem so you can give it a
try.
Comment 7 Hans de Goede 2006-02-13 14:43:06 EST
Changing back to FE-NEW. Jochen, the review hasn't started yet, to quote Keven:
"Not a review" and me "might be willing todo a review" so no review has been
started yet. I saw your mail to f-e-list that you're going todo this to other
bugs too, please don't unless the review has really started. Also see the
asigned field.
Comment 8 Aurelien Bompard 2006-04-04 08:49:33 EDT
Spec : http://gauret.free.fr/fichiers/rpms/fedora/tiger.spec
SRPM : http://gauret.free.fr/fichiers/rpms/fedora/tiger-3.2.1-1.src.rpm

I've fixed the command options which caused problems on FC5, and added comments
to tiger.ignore

The Debian package changelog has "updated to CVS" entries, so I guess upstream
is still active (or Debian has taken over upstream).
Comment 9 Aurelien Bompard 2006-04-04 08:49:54 EDT
Spec : http://gauret.free.fr/fichiers/rpms/fedora/tiger.spec
SRPM : http://gauret.free.fr/fichiers/rpms/fedora/tiger-3.2.1-2.src.rpm

I've fixed the command options which caused problems on FC5, and added comments
to tiger.ignore

The Debian package changelog has "updated to CVS" entries, so I guess upstream
is still active (or Debian has taken over upstream).
Comment 10 Joost Soeterbroek 2006-04-22 10:54:59 EDT
Not an offial review, but some comments:

1) Some suspicious errors during %install phase:

  Copying miscellaneous dirs...
  tar: ./check.d/README.doc: Cannot open: Permission denied
  tar: Error exit delayed from previous errors
  tar: ./html/integrit.html.doc: Cannot open: Permission denied
  tar: ./html/ndd.html.doc: Cannot open: Permission denied
  tar: ./html/ssh.html.doc: Cannot open: Permission denied
  tar: ./html/aide.html.doc: Cannot open: Permission denied
  tar: ./html/rootkit.html.doc: Cannot open: Permission denied
  tar: Error exit delayed from previous errors
  tar: ./systems/Linux/2/check_xinetd.scripts: Cannot open: Permission denied
  tar: Error exit delayed from previous errors
  Copying miscellaneous files...
  Copying scripts...
  sed: can't read ./systems/Linux/2/check_xinetd.scripts: Permission denied
  Copying platform scripts...
  cp: cannot open `./systems/Linux/2/check_xinetd.scripts' for reading: 
Permission denied

2) In /usr/lib/tiger/systems/Linux/2/
some files have an equivalent ending in .orig or .old
which are probably backups left during development. I suggest
not to package these files:

  [joost@alexandria SPECS]$ rpm -qil tiger | grep orig
  /usr/lib/tiger/systems/Linux/2/check_listeningprocs.orig
  /usr/lib/tiger/systems/Linux/2/gen_passwd_sets.orig

  [joost@alexandria SPECS]$ rpm -qil tiger | grep old
  /usr/lib/tiger/systems/Linux/0/gen_cron.old
  /usr/lib/tiger/systems/Linux/2/services.old

3) In /usr/lib/tiger/systems/Linux/2/
most files have an equivalent ending in .scripts
which are clearly leftovers from an earlier stage of
development and left abandoned in 2003. 
The equivalent files without the .scripts
extension all have inline comments dated 2005.
I suggest not to package these .scripts files also, unless
there is a reason for these that I don't understand.

4) rpmlint errors and warnings:

  [joost@alexandria SPECS]$ rpmlint
/home/joost/Development/rpm/RPMS/i386/tiger-3.2.1-2.i386.rpm
  W: tiger conffile-without-noreplace-flag /etc/cron.d/tiger
  W: tiger conffile-without-noreplace-flag /etc/tiger/cronrc
  W: tiger conffile-without-noreplace-flag /etc/tiger/tiger.ignore
  W: tiger conffile-without-noreplace-flag /etc/tiger/tigerrc
  E: tiger zero-length /usr/lib/tiger/systems/default/suid_list
  E: tiger non-readable /etc/tiger/tigerrc 0640
  E: tiger non-readable /etc/tiger/tiger.ignore 0600
  E: tiger non-standard-dir-perm /var/log/tiger 0700
  W: tiger file-not-utf8 /usr/share/man/man8/tiger.8.gz
  E: tiger non-readable /etc/tiger/cronrc 0640
  W: tiger symlink-should-be-relative /usr/lib/tiger/tigexp /usr/sbin/tigexp
  E: tiger non-standard-dir-perm /etc/tiger 0700
  E: tiger zero-length /usr/lib/tiger/systems/default/rel_file_exp_list
  E: tiger zero-length /usr/lib/tiger/systems/Linux/2/rel_file_exp_list
  E: tiger non-standard-dir-perm /var/run/tiger/work 0700
  E: tiger zero-length /usr/lib/tiger/systems/Linux/2/check_xinetd.scripts
  E: tiger script-without-shellbang 
/usr/lib/tiger/systems/Linux/2/check_xinetd.scripts
  W: tiger devel-file-in-non-devel-package /usr/lib/tiger/version.h
  W: tiger log-files-without-logrotate /var/log/tiger

Hope this is helpfull..
Comment 11 Aurelien Bompard 2006-04-22 17:23:35 EDT
> Hope this is helpfull

Extremely useful, thanks a lot.

* Sat Apr 22 2006 Aurelien Bompard <gauret[AT]free.fr> 3.2.1-3
- don't backup some patches, or the files will be copied in the buildroot
- set conf files to noreplace
- fix manpage encoding

Spec : http://gauret.free.fr/fichiers/rpms/fedora/tiger.spec
SRPM : http://gauret.free.fr/fichiers/rpms/fedora/tiger-3.2.1-3.src.rpm

(1) and (3) are fixed by not making backups for some patches

(2) is fixed by removing the files in %prep

(4) rpmlint :
>  W: tiger conffile-without-noreplace-flag /etc/cron.d/tiger
>  W: tiger conffile-without-noreplace-flag /etc/tiger/tiger.ignore
>  W: tiger conffile-without-noreplace-flag /etc/tiger/tigerrc

Fixed.

>  W: tiger conffile-without-noreplace-flag /etc/tiger/cronrc

This one is not supposed to be customized, so I leave it as %config only.

>  E: tiger non-readable /etc/tiger/tigerrc 0640
>  E: tiger non-readable /etc/tiger/tiger.ignore 0600
>  E: tiger non-standard-dir-perm /var/log/tiger 0700
>  E: tiger non-readable /etc/tiger/cronrc 0640
>  E: tiger non-standard-dir-perm /etc/tiger 0700
>  E: tiger non-standard-dir-perm /var/run/tiger/work 0700
>  E: tiger zero-length /usr/lib/tiger/systems/default/suid_list
>  E: tiger zero-length /usr/lib/tiger/systems/default/rel_file_exp_list
>  E: tiger zero-length /usr/lib/tiger/systems/Linux/2/rel_file_exp_list

Intended.

>  W: tiger file-not-utf8 /usr/share/man/man8/tiger.8.gz

Fixed.

>  W: tiger symlink-should-be-relative /usr/lib/tiger/tigexp /usr/sbin/tigexp
>  W: tiger devel-file-in-non-devel-package /usr/lib/tiger/version.h

Harmless.

>  E: tiger zero-length /usr/lib/tiger/systems/Linux/2/check_xinetd.scripts
>  E: tiger script-without-shellbang /usr/[...]/Linux/2/check_xinetd.scripts

Fixed by not backuping this patch

>  W: tiger log-files-without-logrotate /var/log/tiger

Tiger takes care of rotation by itself.

Thanks for your input.
Comment 12 Hans de Goede 2006-05-07 06:40:17 EDT
I've build your SRPM and installed it on both FC-5 and devel and I must say I
like it, it gives a few false positives that need fixing (but thats something
which can be best done later, iow not a blocker for review and approval). And it
indeed needs extending with some Fedora specific tests like rpm --verify -a and
an SELinux label check, but in general its a nice tool.

As such I'm assigning this to me and going todo a review somewhere the next week,
please let me know if you have / are planning on a newer version and if you
rather would want that reviewed.
Comment 13 Aurelien Bompard 2006-05-07 18:32:02 EDT
Thanks a lot for reviewing ! I'm not planning on updating this package here
unless a new upstream version comes out, which should not happen soon.
This is the oldest open review request, I'm glad it comes to an end :)
Comment 14 Hans de Goede 2006-05-13 08:44:31 EDT
MUST:
=====
* rpmlint output is:
W: tiger conffile-without-noreplace-flag /etc/cron.d/tiger
E: tiger non-standard-dir-perm /var/log/tiger 0700
E: tiger non-readable /etc/tiger/tigerrc 0640
E: tiger zero-length /usr/lib64/tiger/systems/default/suid_list
E: tiger non-readable /etc/tiger/cronrc 0640
E: tiger non-readable /etc/tiger/tiger.ignore 0600
E: tiger zero-length /usr/lib64/tiger/systems/Linux/2/rel_file_exp_list
E: tiger non-standard-dir-perm /var/run/tiger/work 0700
E: tiger non-standard-dir-perm /etc/tiger 0700
W: tiger symlink-should-be-relative /usr/lib64/tiger/tigexp /usr/sbin/tigexp
E: tiger zero-length /usr/lib64/tiger/systems/default/rel_file_exp_list
W: tiger devel-file-in-non-devel-package /usr/lib64/tiger/version.h
W: tiger log-files-without-logrotate /var/log/tiger
Most of these are OK / have a good reason / intentional (also see previous
comments), so they are ok.I
It would be nice if you could fix the symlink though, but that is not a blocker.
* Package and spec file named appropriately
* Packaged according to packaging guidelines
* License (GPL) ok but license file not included!
* spec file is legible and in Am. English.
* Source matches upstream
* Compiles and builds on devel-x86_64
* BR: ok
* No locales
* No shared libraries
* Not relocatable
* Package owns / or requires all dirs
* No duplicate files & Permissions ok
* %clean & macro usage OK
* Contains code only
* %doc does not affect runtime, and isn't large enough to warrent a sub package
* no -devel package needed, no libs / .la files.
* no gui -> no .desktop file required


MUST fix:
=========
* Include COPYING in %doc
* Does /usr/lib64/tiger/html actually gets used during execution or are
  those just docs. If they are just docs the html dir should be under %doc
  instead of under /usr/lib64/tiger/
* Remove /usr/share/doc/tiger-3.2.1/tiger_logo* these aren't docs nor are they
  used by any of the docs (no html docs there) if you decide to keep them
  someplace else (or if the moved html docs need them) remove the x permisson
  bits .

Should fix:
===========
* Please remove the:
 "Please adjust your %{_sysconfdir}/tiger/tigerrc before running."
 line from %description. Usage notes do not belong in %description.
 If you want to you can add this to README.fedora. I didn't modify tigerrc
 and it ran fine though.
* Move these 2 lines from %install to %prep replacing buildroot with . :
 #find $RPM_BUILD_ROOT -type d -name CVS | xargs -iX rm -rf "X"
 find $RPM_BUILD_ROOT -type d -name CVS | xargs rm -rf
Comment 15 Aurelien Bompard 2006-05-13 09:39:40 EDT
* Sat May 13 2006 Aurelien Bompard <gauret[AT]free.fr> 3.2.1-4
- include the COPYING file
- put HTML doc in %%doc
- drop useless logos
- fix %%description
- remove CVS dirs in %%prep

Spec : http://gauret.free.fr/fichiers/rpms/fedora/tiger.spec
SRPM : http://gauret.free.fr/fichiers/rpms/fedora/tiger-3.2.1-4.src.rpm

Thanks Hans.
Comment 16 Hans de Goede 2006-05-13 15:27:56 EDT
All MUST and Should items fixed. Approved!

And your welcome :)

Note You need to log in before you can comment on or make changes to this bug.