rpms/tiger/devel tiger-3.2.1-doc.patch,1.1,1.2 tiger.spec,1.6,1.7
Caolan McNamara
caolanm at fedoraproject.org
Sun Mar 8 15:24:01 UTC 2009
- Previous message (by thread): rpms/python-oasa/devel .cvsignore, 1.4, 1.5 import.log, 1.3, 1.4 python-oasa.spec, 1.4, 1.5 sources, 1.4, 1.5
- Next message (by thread): rpms/abrt/devel abrt-0.0.1-newenum.patch, NONE, 1.1 abrt.spec, 1.2, 1.3
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: caolanm
Update of /cvs/pkgs/rpms/tiger/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv1914
Modified Files:
tiger-3.2.1-doc.patch tiger.spec
Log Message:
defuzz patches to rebuild
tiger-3.2.1-doc.patch:
Index: tiger-3.2.1-doc.patch
===================================================================
RCS file: /cvs/pkgs/rpms/tiger/devel/tiger-3.2.1-doc.patch,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- tiger-3.2.1-doc.patch 13 May 2006 21:38:59 -0000 1.1
+++ tiger-3.2.1-doc.patch 8 Mar 2009 15:23:30 -0000 1.2
@@ -1,5 +1,6 @@
---- tiger-3.2.1.orig/CHANGES
-+++ tiger-3.2.1/CHANGES
+diff -ru tiger.orig/CHANGES tiger/CHANGES
+--- tiger.orig/CHANGES 2009-03-08 14:41:39.000000000 +0000
++++ tiger/CHANGES 2009-03-08 14:48:36.000000000 +0000
@@ -1,6 +1,15 @@
NOTE: To read changes made to the Debian package (since
August 23rd 2001) see the changelog.Debian file
@@ -16,192 +17,9 @@
Changes (v 3.2.1)
----------------
- New checks:
---- tiger-3.2.1.orig/TODO.checks
-+++ tiger-3.2.1/TODO.checks
-@@ -0,0 +1,181 @@
-+This TODO details things that need to be done to improve the current
-+security checks implemented in Tiger.
-+
-+
-+IMPROVEMENTS
-+------------
-+- Modify the rhosts check so that it will check for shosts files too
-+ (or create a new check_shosts file)
-+
-+- Modify check_network to include hosts.lpd in the tests
-+
-+- Add .bash_profile into check_path
-+
-+- Add more information to the messages outputed for inetd services which
-+ might expose password information (Unix CERT configuration list item #2.4)
-+
-+- check_rootkit should also consider analysing modification times of
-+ important system files (binaries as well as logfiles).
-+ Mtime, atime and ctime should not be in the future and mtime/ctime
-+ of binaries should be similar to the time the system was installed
-+ (unless it has been patched). Similarly, logfiles should not have
-+ similar (almost equal) ctimes. This needs to be carefully planned in
-+ order to avoid confusion of logfile rotation vs. a log cleaner though.
-+
-+- check_patches for Solaris should generate better messages for security
-+ and/or recommended patches (|R|S|). The check needs to be tested for
-+ Solaris 9 too.
-+ Also check_patches should only output information for packages installed.
-+
-+- check_known should be improved to detect for symlink attacks and
-+ hard links in user writable directories (/tmp, /var/tmp and, in
-+ some systems, /var/spool/mail too, the directory list might be
-+ defined in tigerrc or extracted by parsing the file system)
-+
-+
-+NEW CHECKS
-+-----------
-+- Create the following (generic) scripts:
-+
-+ - Check root $HOME files (might be redundant with check_path's)
-+ - Do alias give the same as check_aliases?
-+ - writable/executable check + word writable? (in find_files)
-+ - Check for SAMBA configuration (checklist #20 SANS):
-+ . encrypted passwords.
-+ . 600 /etc/smbpasswd or /etc/samba/smbpasswd
-+ . shares enabled/disabled
-+ . guest access
-+ . create mask (770)
-+ - Check newer FTP (/etc/ftpaccess in newer Linux systems, ftpusers
-+ is deprecated) see checklist #22 of SANS.
-+ (DONE)- The check_inetd script should be improved to warn if echo/chargen..
-+ services are enabled (SANS unix checklist #3 and Linux #4)
-+ - SANS unix checklist #18
-+ . Solaris /etc/system (noexec stack)
-+ . Solaris locked accounts (#18 and #21)
-+ . Solaris default/login
-+ . Solaris /etc/default/kbd
-+ - Partition checks (in Linux /etc/fstab, in Solaris /etc/vfstab),
-+ if there is a /usr, /opt then read-only, if /var
-+ or /tmp suggest nosuid (maybe noexec, although it's not a real
-+ improvement). Separate partitions for /var, /usr, /tmp, /home
-+ (boot?) so that no hard links attacks are possible.
-+ In general user writable directories should be separated from
-+ from system directories to avoid (hard) symlink attacks and
-+ local DoS due to partitions being full.
-+ In some installations /var/log or /var/spool (or /var/mail) might
-+ make sense to be separated.
-+ - Solaris /etc/notrouter to disable
-+
-+ - Suggested by Bob Hall:
-+ * Check if any local file systems are being exported to
-+ 'localhost'. Also check if the local host is in a netgroups
-+ entry in its own exports file.
-+ * Look for (unexpected) normal files under /dev.
-+ (Note: included in 'check_devices', done?)
-+ * Check for user startup files that call 'umask' with weak
-+ settings. (Should be 022 or 027.)
-+ (Note: included in 'check_umask' using GENPASSWDSETS, done?)
-+ * Check that '-' is not the first character in a /etc/hosts.equiv
-+ /etc/hosts.lpd, or .rhosts files. Also check for a '+' entry in
-+ hosts.lpd file.
-+ (Note: included in 'check_rhosts'?)
-+ * If a system allows it, check for an /etc/shells file and look
-+ if the permitted shells are in the system directories.
-+ References:
-+ http://www.cert.org/tech_tips/usc20.html
-+ http://www.cert.org/advisories/CA-2001-30.html
-+ http://www.ciac.org/ciac/bulletins/b-37.shtml
-+ http://www.nswc.navy.mil/ISSEC/Docs/Ref/GeneralInfo/unixsecurity.nrl.txt
-+
-+ - Detect promiscous mode (DONE)
-+ - Rootkits check, like chkrootkit (DONE)
-+ Reference:
-+ http://linux.oreillynet.com/pub/a/linux/2002/02/07/rootkits.html
-+
-+- Implement a check for configuration files for user's password policies
-+ and other sensible configuration such as /etc/login.access, /etc/login.defs,
-+ /etc/login.conf
-+
-+- Implement a generic script to test package management systems
-+ (i.e. run 'rpm -Va' in RedHat, 'pkgchk' in Solaris). Most of these check:
-+ md5sums, permissions, size, user/group ownerships...
-+ These can be useful to detect trivial rootkits but might be redundant
-+ when using also integrity checkers.
-+ Note: The Debian deb_checkmd5sums only covers part of that (using
-+ debsums), dpkg does not have a verify mode (see Debian Bug #187019)
-+ References:
-+ RedHat: http://www.rpm.org/max-rpm/ch-rpm-verify.html
-+ http://www.rpm.org/max-rpm/s1-rpm-verify-what-to-verify.html
-+
-+- Convert scripts/check_network (RedHat-based) into a number of tests.
-+ This is a script provided by Bryan Gartner from HP
-+ It currently checks for:
-+ - Inetd configuration files (are xinetd or inetd files writable?
-+ are they owned by the proper user? does inetd use -l? does
-+ xinetd have filelog or syslog?)
-+ (Note: some checks moved to check_tcpd)
-+ - Does /etc/securetty exist? Does it have other entries besides vc/tty?
-+ Is ownership of the file ok?
-+ - Is ip forwarding enabled?
-+ - Which version of DNS/Wu-ftpd is it running?
-+ (Note: this might not be completely feasible since the check_network
-+ scripts connects to the server to retrieve the banner which is
-+ something that Tiger should leave to other, remote, VA tools)
-+ - PermitRooLogin or Rhosts in sshd?
-+ - EXPN/VRFY support in mail host?
-+ Necessary services:
-+ - Is syslog running?
-+ - Is omniback running?
-+ Not allowed (per policy):
-+ - Is fingerd running?
-+ - Is identd runnig?
-+ - Are inetd internal services running?
-+ - Is a routing daemon enabled?
-+ - R-commands?
-+ - X server
-+ - Tftpd
-+ - NIS
-+ - UUCP
-+ - R-exd?
-+ - NFS
-+ Note: some of this is already done in check_inetd and check_xinetd so
-+ many might be redundant.
-+
-+INTEGRATION CHECKS
-+------------------
-+(checks related to other tools that integrate them in the Tiger framework)
-+
-+- Tripwire: the 'tripwire_run' script has not been tested thoroughly
-+ (mainly because in Debian it is already configured to execute
-+ regular checks standalone)
-+
-+- Crack: same for 'crack_run' (for the same reason as for tripwire
-+ it has not been tested thoroughly yet)
-+
-+- Other integrity checkers: aide, samhain, integrit...
-+ (Note: done for aide and integrit for the moment)
-+
-+- Other password crackers: john
-+
-+- Logcheckers: swatch, logcheck, loganalysis, snort-logcheck
-+ Note: Tiger currently does not do any log checking (see below)
-+ I'm not sure if Tiger should provide a new one or re-use
-+ existing ones and include them as an 'external' program to run
-+ through a Tiger module. The benefit of using an accepted and use
-+ log analysis tool is that Tiger can benefit from the database of
-+ signatures of known attacks/non-issues. The problem is that the
-+ sysadmin has to install yet another tool (if he is not using an OS
-+ that already includes them) and, probably, some other stuff
-+ (usually Perl) on which the tool itself is based.
-+
-+- User analysis: sac, hostsentry (part of Abacus, but non-free)
-+
-+- Network checks: Arpwatch, Snort
-+
-+(DONE)- Other tools: chkrootkit
-+
-+--- Javier Fernandez-Sanguino Pen~a <jfs at computer.org>
-+Sun, 27 Jun 2004 22:28:39 +0200
-+
-+
---- tiger-3.2.1.orig/doc/accounts.txt
-+++ tiger-3.2.1/doc/accounts.txt
+diff -ru tiger.orig/doc/accounts.txt tiger/doc/accounts.txt
+--- tiger.orig/doc/accounts.txt 2009-03-08 14:41:39.000000000 +0000
++++ tiger/doc/accounts.txt 2009-03-08 14:48:36.000000000 +0000
@@ -98,10 +98,6 @@
%acc015w
The listed login ID has a duplicate home directory with another login
@@ -222,8 +40,21 @@
many important environment variables.
%acc020w
The listed login ID does not have a valid login program or shell.
---- tiger-3.2.1.orig/doc/anonftp.txt
-+++ tiger-3.2.1/doc/anonftp.txt
+diff -ru tiger.orig/doc/aide.txt tiger/doc/aide.txt
+--- tiger.orig/doc/aide.txt 2009-03-08 14:41:39.000000000 +0000
++++ tiger/doc/aide.txt 2009-03-08 14:48:36.000000000 +0000
+@@ -5,7 +5,7 @@
+ cannot make use of in the current Tiger version. Please supply a custom
+ configuration file using Tiger_Run_AIDE_CFG_OVERRIDE and/or make sure
+ no variable substitution is used in the Aide configuration file.
+-%aide003w
++%aide003wsum
+ Aide detected changes in filesystem integrity. This line is only the summary.
+ %aide003w
+ Aide detected, by checking against the files' the attributes in the database,
+diff -ru tiger.orig/doc/anonftp.txt tiger/doc/anonftp.txt
+--- tiger.orig/doc/anonftp.txt 2009-03-08 14:41:39.000000000 +0000
++++ tiger/doc/anonftp.txt 2009-03-08 14:48:36.000000000 +0000
@@ -3,16 +3,16 @@
and hence there is nothing to check.
%ftp002a
@@ -253,8 +84,9 @@
+The 'ftp' account appears to have a valid shell. A valid shell is not
+required for the 'ftp' user and can be safely set to /bin/false,
+/sbin/nologin, etc.
---- tiger-3.2.1.orig/doc/config.txt
-+++ tiger-3.2.1/doc/config.txt
+diff -ru tiger.orig/doc/config.txt tiger/doc/config.txt
+--- tiger.orig/doc/config.txt 2009-03-08 14:41:39.000000000 +0000
++++ tiger/doc/config.txt 2009-03-08 14:48:36.000000000 +0000
@@ -1,12 +1,12 @@
%con001c
-The configuration file listed was not read in because it was
@@ -302,8 +134,9 @@
+%run002e
+A needed command cannot be executed, probably due to insufficient privileges.
Make sure that Tiger is run by the superuser (root) account.
---- tiger-3.2.1.orig/doc/cron.txt
-+++ tiger-3.2.1/doc/cron.txt
+diff -ru tiger.orig/doc/cron.txt tiger/doc/cron.txt
+--- tiger.orig/doc/cron.txt 2009-03-08 14:41:39.000000000 +0000
++++ tiger/doc/cron.txt 2009-03-08 14:48:36.000000000 +0000
@@ -25,4 +25,17 @@
particular, possibly recurring time. It can be very useful, but also
has a very real potential for abuse by either users or system crackers.
@@ -323,8 +156,9 @@
+Cron is restricted to a given user. This is usually good, since
+restricting cron prevents this system from being
+abused by either users or system crackers.
---- tiger-3.2.1.orig/doc/embed.txt
-+++ tiger-3.2.1/doc/embed.txt
+diff -ru tiger.orig/doc/embed.txt tiger/doc/embed.txt
+--- tiger.orig/doc/embed.txt 2009-03-08 14:41:39.000000000 +0000
++++ tiger/doc/embed.txt 2009-03-08 14:48:36.000000000 +0000
@@ -69,11 +69,11 @@
The executable is group writable, world writable or both. This can
enable an intruder to gain unauthorized privileges if they are able to
@@ -339,8 +173,9 @@
study the file and programs in which the pathname was found to
-determine whether there
+determine whether there is a problem.
---- tiger-3.2.1.orig/doc/explain.idx
-+++ tiger-3.2.1/doc/explain.idx
+diff -ru tiger.orig/doc/explain.idx tiger/doc/explain.idx
+--- tiger.orig/doc/explain.idx 2009-03-08 14:41:39.000000000 +0000
++++ tiger/doc/explain.idx 2009-03-08 14:48:36.000000000 +0000
@@ -16,14 +16,20 @@
acc013w accounts.txt 86 94
acc014f accounts.txt 96 97
@@ -719,8 +554,9 @@
+ssh003w ssh.txt 10 13
+ssh004w ssh.txt 15 16
+ssh005e ssh.txt 18 $
---- tiger-3.2.1.orig/doc/filesys.txt
-+++ tiger-3.2.1/doc/filesys.txt
+diff -ru tiger.orig/doc/filesys.txt tiger/doc/filesys.txt
+--- tiger.orig/doc/filesys.txt 2009-03-08 14:41:39.000000000 +0000
++++ tiger/doc/filesys.txt 2009-03-08 14:48:36.000000000 +0000
@@ -24,7 +24,7 @@
all setuid programs will be listed. When fully configured for a
platform, only those setuid programs that do not appear in the
@@ -751,16 +587,18 @@
+The listed program is not owned by an administrative user. The
+majority of SUID programs should probably be owned by an
+administrative user.
---- tiger-3.2.1.orig/doc/group.txt
-+++ tiger-3.2.1/doc/group.txt
+diff -ru tiger.orig/doc/group.txt tiger/doc/group.txt
+--- tiger.orig/doc/group.txt 2009-03-08 14:41:39.000000000 +0000
++++ tiger/doc/group.txt 2009-03-08 14:48:36.000000000 +0000
@@ -18,5 +18,3 @@
The group files have integrity issues as found by 'grpck -r'. This
can lead to looping of password manipulation programs and to allow
unexpected access to resources.
-
-
---- tiger-3.2.1.orig/doc/inetd.txt
-+++ tiger-3.2.1/doc/inetd.txt
+diff -ru tiger.orig/doc/inetd.txt tiger/doc/inetd.txt
+--- tiger.orig/doc/inetd.txt 2009-03-08 14:41:39.000000000 +0000
++++ tiger/doc/inetd.txt 2009-03-08 14:48:36.000000000 +0000
@@ -25,8 +25,8 @@
be checked, and if anything unusual is found, the system should
be checked for other signs of intrusion.
@@ -852,8 +690,21 @@
+The service is disabled in the Xinetd configuration file. This is usually
+a good thing, since this limits exposure of the server and prevents
+external attacks.
---- tiger-3.2.1.orig/doc/known.txt
-+++ tiger-3.2.1/doc/known.txt
+diff -ru tiger.orig/doc/integrit.txt tiger/doc/integrit.txt
+--- tiger.orig/doc/integrit.txt 2009-03-08 14:41:39.000000000 +0000
++++ tiger/doc/integrit.txt 2009-03-08 14:48:36.000000000 +0000
+@@ -5,7 +5,7 @@
+ Tiger cannot make use of in the current Tiger version. Please supply a custom
+ configuration file using Tiger_Run_AIDE_CFG_OVERRIDE and/or make sure
+ no variable substitution is used in the Integrit configuration file.
+-%integ003w
++%integ003wsum
+ Integrit detected changes in filesystem integrity. This line is only the
+ summary.
+ %integ003w
+diff -ru tiger.orig/doc/known.txt tiger/doc/known.txt
+--- tiger.orig/doc/known.txt 2009-03-08 14:41:39.000000000 +0000
++++ tiger/doc/known.txt 2009-03-08 14:48:36.000000000 +0000
@@ -44,7 +44,7 @@
of intrusion.
%kis009w
@@ -878,8 +729,9 @@
%kis013a
A interface is set up on promiscuous mode, this is a common method
used by attackers to capture user account and and password information.
---- tiger-3.2.1.orig/doc/linux.txt
-+++ tiger-3.2.1/doc/linux.txt
+diff -ru tiger.orig/doc/linux.txt tiger/doc/linux.txt
+--- tiger.orig/doc/linux.txt 2009-03-08 14:41:39.000000000 +0000
++++ tiger/doc/linux.txt 2009-03-08 14:48:36.000000000 +0000
@@ -49,7 +49,7 @@
The kernel will answer (per configuration) to ICMP echo requests in any
interface. You might want to configure it to not answer to this requests
@@ -958,8 +810,9 @@
+use to specific local network IP addresses or hosts.
+If the system is multi-home a local firewall configuration will prevent
+spoofing attacks due to "weak end host" issues.
---- tiger-3.2.1.orig/doc/logfiles.txt
-+++ tiger-3.2.1/doc/logfiles.txt
+diff -ru tiger.orig/doc/logfiles.txt tiger/doc/logfiles.txt
+--- tiger.orig/doc/logfiles.txt 2009-03-08 14:41:39.000000000 +0000
++++ tiger/doc/logfiles.txt 2009-03-08 14:48:36.000000000 +0000
@@ -18,7 +18,7 @@
server can be listed. This is accessed by the command "who".
It might not exist due to a system configuration error or an
@@ -984,8 +837,9 @@
It might not exist if you have configured your system to use a
different file for logging or if an intruder has tried to cover
his tracks by removing it since the messages file might contain
---- tiger-3.2.1.orig/doc/misc.txt
-+++ tiger-3.2.1/doc/misc.txt
+diff -ru tiger.orig/doc/misc.txt tiger/doc/misc.txt
+--- tiger.orig/doc/misc.txt 2009-03-08 14:41:39.000000000 +0000
++++ tiger/doc/misc.txt 2009-03-08 14:48:36.000000000 +0000
@@ -68,8 +68,8 @@
execute commands which allow them to read and modify memory, boot
alternate OS's etc. See the 'eeprom' man page for information
@@ -1055,8 +909,23 @@
The script will not be run since it is not executable. This might be a problem
with the installation of Tiger so you should recheck the script's file owner
and permissions.
---- tiger-3.2.1.orig/doc/network.txt
-+++ tiger-3.2.1/doc/network.txt
+diff -ru tiger.orig/doc/ndd.txt tiger/doc/ndd.txt
+--- tiger.orig/doc/ndd.txt 2009-03-08 14:41:39.000000000 +0000
++++ tiger/doc/ndd.txt 2009-03-08 14:48:36.000000000 +0000
+@@ -69,8 +69,8 @@
+ services.
+ # ndd -set /dev/ip ip_respond_to_timestamp 0
+ %ndd011w
+-This option determins if HP-UX will include explanitory text in the
+-RST segement it sends. This text is helpful for debugging, but is also
++This option determines if HP-UX will include explanatory text in the
++RST segment it sends. This text is helpful for debugging, but is also
+ useful to potential intruders.
+ To disable this do:
+ # ndd -set /dev/tcp tcp_text_in_resets 0
+diff -ru tiger.orig/doc/network.txt tiger/doc/network.txt
+--- tiger.orig/doc/network.txt 2009-03-08 14:41:39.000000000 +0000
++++ tiger/doc/network.txt 2009-03-08 14:48:36.000000000 +0000
@@ -1,11 +1,11 @@
%netw001f
-The listed file is world writeable. chomd -ow file to correct.
@@ -1071,8 +940,9 @@
based, add the 'filelog' or 'syslog' options in /etc/sysconfig/xinetd
configuration file.
%netw004f
---- tiger-3.2.1.orig/doc/passwd.txt
-+++ tiger-3.2.1/doc/passwd.txt
+diff -ru tiger.orig/doc/passwd.txt tiger/doc/passwd.txt
+--- tiger.orig/doc/passwd.txt 2009-03-08 14:41:39.000000000 +0000
++++ tiger/doc/passwd.txt 2009-03-08 14:48:36.000000000 +0000
@@ -28,7 +28,7 @@
%pass008e
The password file was not generated and cannot be analysed. This might
@@ -1101,8 +971,9 @@
+indicates the specified login ID has its cypher text publicly available
+and is subject to brute force password cracking, even though shadow
+passwords are implimented on the system.
---- tiger-3.2.1.orig/doc/paths.txt
-+++ tiger-3.2.1/doc/paths.txt
+diff -ru tiger.orig/doc/paths.txt tiger/doc/paths.txt
+--- tiger.orig/doc/paths.txt 2009-03-08 14:41:39.000000000 +0000
++++ tiger/doc/paths.txt 2009-03-08 14:48:36.000000000 +0000
@@ -9,7 +9,7 @@
executables and spread by `root'. Often these executables are owned by
`bin', `uucp' or other system accounts. If these commands are never
@@ -1112,8 +983,9 @@
to install most /usr/sbin/* and /usr/bin/* executables
as owned by `bin', this account will not flag a warning.
---- tiger-3.2.1.orig/doc/pcap.txt
-+++ tiger-3.2.1/doc/pcap.txt
+diff -ru tiger.orig/doc/pcap.txt tiger/doc/pcap.txt
+--- tiger.orig/doc/pcap.txt 2009-03-08 14:41:39.000000000 +0000
++++ tiger/doc/pcap.txt 2009-03-08 14:48:36.000000000 +0000
@@ -14,6 +14,6 @@
group or world write permissions. This may represent a security
vulnerability.
@@ -1122,8 +994,9 @@
+The indicated executable associated with a printer control has
group or world write permissions. This may represent a security
vulnerability, as it may be possible to replace the executable.
---- tiger-3.2.1.orig/doc/permissions.txt
-+++ tiger-3.2.1/doc/permissions.txt
+diff -ru tiger.orig/doc/permissions.txt tiger/doc/permissions.txt
+--- tiger.orig/doc/permissions.txt 2009-03-08 14:41:39.000000000 +0000
++++ tiger/doc/permissions.txt 2009-03-08 14:48:36.000000000 +0000
@@ -160,7 +160,7 @@
%perm26f
The file '/etc/login.access' provides finer control over user
@@ -1133,8 +1006,9 @@
users, then unauthorized access or privileges may be obtained.
%perm27f
The file '/etc/login.conf' is used by default on some BSD systems,
---- tiger-3.2.1.orig/doc/pxt.txt
-+++ tiger-3.2.1/doc/pxt.txt
+diff -ru tiger.orig/doc/pxt.txt tiger/doc/pxt.txt
+--- tiger.orig/doc/pxt.txt 2009-03-08 14:41:39.000000000 +0000
++++ tiger/doc/pxt.txt 2009-03-08 14:48:36.000000000 +0000
@@ -1,6 +1,6 @@
-%dev001
+%dev001f
@@ -1210,8 +1084,9 @@
-upgraded, removed or tampered with. If this modification is legitmate
+upgraded, removed or tampered with. If this modification is legitimate
please refresh the tripwire database by running "tripwire --update"
---- tiger-3.2.1.orig/doc/rhosts.txt
-+++ tiger-3.2.1/doc/rhosts.txt
+diff -ru tiger.orig/doc/rhosts.txt tiger/doc/rhosts.txt
+--- tiger.orig/doc/rhosts.txt 2009-03-08 14:41:39.000000000 +0000
++++ tiger/doc/rhosts.txt 2009-03-08 14:48:36.000000000 +0000
@@ -54,7 +54,7 @@
security hole. It allows anyone to login to the machine as any
user except `root'. This needs to be removed immediately. Note
@@ -1230,17 +1105,9 @@
not the user needs to have an .rhosts file and, in any case, consider
the use of safer replacement for the 'r' commands including public-key
cryptography programs (such as SSH implementations)
---- tiger-3.2.1.orig/doc/root.txt
-+++ tiger-3.2.1/doc/root.txt
-@@ -8,5 +8,5 @@
- "root" should be added to this file.
- %root003w
- The root user should not have the message capability turned on. This
--could lead to inadvertant modification of files with the root user is
-+could lead to inadvertent modification of files with the root user is
- logged in.
---- tiger-3.2.1.orig/doc/rootdir.txt
-+++ tiger-3.2.1/doc/rootdir.txt
+diff -ru tiger.orig/doc/rootdir.txt tiger/doc/rootdir.txt
+--- tiger.orig/doc/rootdir.txt 2009-03-08 14:41:39.000000000 +0000
++++ tiger/doc/rootdir.txt 2009-03-08 14:48:36.000000000 +0000
@@ -1,6 +1,8 @@
%rootdir001f
-The inode for the root directory is not on inode 2. This is a security
@@ -1253,54 +1120,9 @@
-
+%rootdir003f
+The ownership of the root directory is not secure.
---- tiger-3.2.1.orig/doc/signature.txt
-+++ tiger-3.2.1/doc/signature.txt
-@@ -176,7 +176,7 @@
- %sig022f
- The patchdiag.xref files is not available in the configuration directory. This
- means that the script cannot proceed further since it does not have any
--information of which are the appropiate patches for this system.
-+information of which are the appropriate patches for this system.
-
- Please download the patchdiag file from Sunsolve, you can use, for example,
- the following link:
---- tiger-3.2.1.orig/doc/aide.txt
-+++ tiger-3.2.1/doc/aide.txt
-@@ -5,7 +5,7 @@
- cannot make use of in the current Tiger version. Please supply a custom
- configuration file using Tiger_Run_AIDE_CFG_OVERRIDE and/or make sure
- no variable substitution is used in the Aide configuration file.
--%aide003w
-+%aide003wsum
- Aide detected changes in filesystem integrity. This line is only the summary.
- %aide003w
- Aide detected, by checking against the files' the attributes in the database,
---- tiger-3.2.1.orig/doc/ndd.txt
-+++ tiger-3.2.1/doc/ndd.txt
-@@ -69,8 +69,8 @@
- services.
- # ndd -set /dev/ip ip_respond_to_timestamp 0
- %ndd011w
--This option determins if HP-UX will include explanitory text in the
--RST segement it sends. This text is helpful for debugging, but is also
-+This option determines if HP-UX will include explanatory text in the
-+RST segment it sends. This text is helpful for debugging, but is also
- useful to potential intruders.
- To disable this do:
- # ndd -set /dev/tcp tcp_text_in_resets 0
---- tiger-3.2.1.orig/doc/integrit.txt
-+++ tiger-3.2.1/doc/integrit.txt
-@@ -5,7 +5,7 @@
- Tiger cannot make use of in the current Tiger version. Please supply a custom
- configuration file using Tiger_Run_AIDE_CFG_OVERRIDE and/or make sure
- no variable substitution is used in the Integrit configuration file.
--%integ003w
-+%integ003wsum
- Integrit detected changes in filesystem integrity. This line is only the
- summary.
- %integ003w
---- tiger-3.2.1.orig/doc/rootkit.txt
-+++ tiger-3.2.1/doc/rootkit.txt
+diff -ru tiger.orig/doc/rootkit.txt tiger/doc/rootkit.txt
+--- tiger.orig/doc/rootkit.txt 2009-03-08 14:41:39.000000000 +0000
++++ tiger/doc/rootkit.txt 2009-03-08 14:48:36.000000000 +0000
@@ -14,12 +14,12 @@
The 'chkrootkit' program has detected a suspicious directory
which might be an indication of an intrusion.
@@ -1330,8 +1152,31 @@
to power off the system and follow the steps outlined by
Steps for Recovering from a UNIX or NT System Compromise
(http://www.cert.org/tech_tips/root_compromise.html)
---- tiger-3.2.1.orig/doc/ssh.txt
-+++ tiger-3.2.1/doc/ssh.txt
+diff -ru tiger.orig/doc/root.txt tiger/doc/root.txt
+--- tiger.orig/doc/root.txt 2009-03-08 14:41:39.000000000 +0000
++++ tiger/doc/root.txt 2009-03-08 14:48:36.000000000 +0000
+@@ -8,5 +8,5 @@
+ "root" should be added to this file.
+ %root003w
+ The root user should not have the message capability turned on. This
+-could lead to inadvertant modification of files with the root user is
++could lead to inadvertent modification of files with the root user is
+ logged in.
+diff -ru tiger.orig/doc/signature.txt tiger/doc/signature.txt
+--- tiger.orig/doc/signature.txt 2009-03-08 14:41:39.000000000 +0000
++++ tiger/doc/signature.txt 2009-03-08 14:48:36.000000000 +0000
+@@ -176,7 +176,7 @@
+ %sig022f
+ The patchdiag.xref files is not available in the configuration directory. This
+ means that the script cannot proceed further since it does not have any
+-information of which are the appropiate patches for this system.
++information of which are the appropriate patches for this system.
+
+ Please download the patchdiag file from Sunsolve, you can use, for example,
+ the following link:
+diff -ru tiger.orig/doc/ssh.txt tiger/doc/ssh.txt
+--- tiger.orig/doc/ssh.txt 2009-03-08 14:41:39.000000000 +0000
++++ tiger/doc/ssh.txt 2009-03-08 14:48:36.000000000 +0000
@@ -8,12 +8,12 @@
and no.
%ssh003w
@@ -1347,8 +1192,9 @@
%ssh005e
The variable SSHD_CONFIG is not defined which means that you have
not setup (or the system has been enable to find) your SSH configuration
---- tiger-3.2.1.orig/html/accounts.html
-+++ tiger-3.2.1/html/accounts.html
+diff -ru tiger.orig/html/accounts.html tiger/html/accounts.html
+--- tiger.orig/html/accounts.html 2009-03-08 14:41:40.000000000 +0000
++++ tiger/html/accounts.html 2009-03-08 14:48:36.000000000 +0000
@@ -316,22 +316,6 @@
@@ -1402,112 +1248,9 @@
The listed login ID appears to be dormant. Files in the home
directory of this user have not been modified in the specified
period of time and after investigation the account may need to
---- tiger-3.2.1.orig/html/aide.html
-+++ tiger-3.2.1/html/aide.html
-@@ -0,0 +1,101 @@
-+<HR><PRE>
-+
-+
-+
-+
-+
-+
-+
-+
-+</PRE><HR>
-+<CENTER><H2> Documents for aide</H2></CENTER>
-+<A NAME="aide001i"><P><B>Code [aide001i]</B><P>
-+Aide detected no changes. Good.
-+<PRE>
-+
-+
-+
-+
-+
-+
-+
-+
-+
-+
-+</PRE><HR>
-+<A NAME="aide002e"><P><B>Code [aide002e]</B><P>
-+Aide configuration files can make use of variable substitution in a way Tiger
-+cannot make use of in the current Tiger version. Please supply a custom
-+configuration file using Tiger_Run_AIDE_CFG_OVERRIDE and/or make sure
-+no variable substitution is used in the Aide configuration file.
-+<PRE>
-+
-+
-+
-+
-+
-+
-+
-+
-+
-+
-+</PRE><HR>
-+<A NAME="aide003wsum"><P><B>Code [aide003wsum]</B><P>
-+Aide detected changes in filesystem integrity. This line is only the summary.
-+<PRE>
-+
-+
-+
-+
-+
-+
-+
-+
-+
-+
-+</PRE><HR>
-+<A NAME="aide003w"><P><B>Code [aide003w]</B><P>
-+Aide detected, by checking against the files' the attributes in the database,
-+the file has changed. "Benign" actions, like accessing a file (remember
-+directories are files too) may have changed it, but it may be part of a breach
-+of security. Please investigate.
-+<PRE>
-+
-+
-+
-+
-+
-+
-+
-+
-+
-+
-+</PRE><HR>
-+<A NAME="aide004w"><P><B>Code [aide004w]</B><P>
-+Aide detected, by checking against the files' the attributes in the database,
-+the file has been removed. "Benign" configuration errors of the database
-+settings may lead to incorporation and checking of for instance temporary
-+files. Uninstalling software and related files may lead to the same result
-+when the database was not upgraded before this check.
-+If the removed file was not a temporary file and not part of legitimately
-+uninstalled software, it may have been used in a breach of security.
-+Please investigate.
-+<PRE>
-+
-+
-+
-+
-+
-+
-+
-+
-+
-+
-+</PRE><HR>
-+<A NAME="aide005w"><P><B>Code [aide005w]</B><P>
-+Aide detected, by checking file against the database, the file was not part of
-+the database. "Benign" actions like installing software and related files or
-+changes in the configuration file may lead to this result when the database
-+was not upgraded before this check. If the removed file was not part of
-+legitimately installed software, it may be in use in a breach of security.
-+Please investigate.
---- tiger-3.2.1.orig/html/anonftp.html
-+++ tiger-3.2.1/html/anonftp.html
+diff -ru tiger.orig/html/anonftp.html tiger/html/anonftp.html
+--- tiger.orig/html/anonftp.html 2009-03-08 14:41:40.000000000 +0000
++++ tiger/html/anonftp.html 2009-03-08 14:48:36.000000000 +0000
@@ -26,7 +26,7 @@
</PRE><HR>
<A NAME="ftp002a"><P><B>Code [ftp002a]</B><P>
@@ -1551,8 +1294,9 @@
+The 'ftp' account appears to have a valid shell. A valid shell is not
+required for the 'ftp' user and can be safely set to /bin/false,
+/sbin/nologin, etc.
---- tiger-3.2.1.orig/html/config.html
-+++ tiger-3.2.1/html/config.html
+diff -ru tiger.orig/html/config.html tiger/html/config.html
+--- tiger.orig/html/config.html 2009-03-08 14:41:40.000000000 +0000
++++ tiger/html/config.html 2009-03-08 14:48:36.000000000 +0000
@@ -10,7 +10,7 @@
</PRE><HR>
<CENTER><H2> Documents for config</H2></CENTER>
@@ -1650,8 +1394,9 @@
+<A NAME="run002e"><P><B>Code [run002e]</B><P>
+A needed command cannot be executed, probably due to insufficient privileges.
Make sure that Tiger is run by the superuser (root) account.
---- tiger-3.2.1.orig/html/cron.html
-+++ tiger-3.2.1/html/cron.html
+diff -ru tiger.orig/html/cron.html tiger/html/cron.html
+--- tiger.orig/html/cron.html 2009-03-08 14:41:40.000000000 +0000
++++ tiger/html/cron.html 2009-03-08 14:48:36.000000000 +0000
@@ -84,4 +84,41 @@
particular, possibly recurring time. It can be very useful, but also
has a very real potential for abuse by either users or system crackers.
@@ -1695,8 +1440,9 @@
+Cron is restricted to a given user. This is usually good, since
+restricting cron prevents this system from being
+abused by either users or system crackers.
---- tiger-3.2.1.orig/html/embed.html
-+++ tiger-3.2.1/html/embed.html
+diff -ru tiger.orig/html/embed.html tiger/html/embed.html
+--- tiger.orig/html/embed.html 2009-03-08 14:41:40.000000000 +0000
++++ tiger/html/embed.html 2009-03-08 14:48:36.000000000 +0000
@@ -176,11 +176,11 @@
@@ -1711,8 +1457,9 @@
study the file and programs in which the pathname was found to
-determine whether there
+determine whether there is a problem.
---- tiger-3.2.1.orig/html/filesys.html
-+++ tiger-3.2.1/html/filesys.html
+diff -ru tiger.orig/html/filesys.html tiger/html/filesys.html
+--- tiger.orig/html/filesys.html 2009-03-08 14:41:40.000000000 +0000
++++ tiger/html/filesys.html 2009-03-08 14:48:36.000000000 +0000
@@ -71,7 +71,7 @@
@@ -1755,16 +1502,18 @@
+The listed program is not owned by an administrative user. The
+majority of SUID programs should probably be owned by an
+administrative user.
---- tiger-3.2.1.orig/html/group.html
-+++ tiger-3.2.1/html/group.html
+diff -ru tiger.orig/html/group.html tiger/html/group.html
+--- tiger.orig/html/group.html 2009-03-08 14:41:40.000000000 +0000
++++ tiger/html/group.html 2009-03-08 14:48:36.000000000 +0000
@@ -89,5 +89,3 @@
The group files have integrity issues as found by 'grpck -r'. This
can lead to looping of password manipulation programs and to allow
unexpected access to resources.
-<P>
-<P>
---- tiger-3.2.1.orig/html/inetd.html
-+++ tiger-3.2.1/html/inetd.html
+diff -ru tiger.orig/html/inetd.html tiger/html/inetd.html
+--- tiger.orig/html/inetd.html 2009-03-08 14:41:40.000000000 +0000
++++ tiger/html/inetd.html 2009-03-08 14:48:36.000000000 +0000
@@ -96,12 +96,20 @@
</PRE><HR>
@@ -2193,114 +1942,9 @@
+The service is disabled in the Xinetd configuration file. This is usually
+a good thing, since this limits exposure of the server and prevents
+external attacks.
---- tiger-3.2.1.orig/html/integrit.html
-+++ tiger-3.2.1/html/integrit.html
-@@ -0,0 +1,103 @@
-+<HR><PRE>
-+
-+
-+
-+
-+
-+
-+
-+
-+</PRE><HR>
-+<CENTER><H2> Documents for integrit</H2></CENTER>
-+<A NAME="integ001i"><P><B>Code [integ001i]</B><P>
-+Integrit detected no changes. Good.
-+<PRE>
-+
-+
-+
-+
-+
-+
-+
-+
-+
-+
-+</PRE><HR>
-+<A NAME="integ002e"><P><B>Code [integ002e]</B><P>
-+Integrit configuration files can make use of variable substitution in a way
-+Tiger cannot make use of in the current Tiger version. Please supply a custom
-+configuration file using Tiger_Run_AIDE_CFG_OVERRIDE and/or make sure
-+no variable substitution is used in the Integrit configuration file.
-+<PRE>
-+
-+
-+
-+
-+
-+
-+
-+
-+
-+
-+</PRE><HR>
-+<A NAME="integ003wsum"><P><B>Code [integ003wsum]</B><P>
-+Integrit detected changes in filesystem integrity. This line is only the
-+summary.
-+<PRE>
-+
-+
-+
-+
-+
-+
-+
-+
-+
-+
-+</PRE><HR>
-+<A NAME="integ003w"><P><B>Code [integ003w]</B><P>
-+Integrit detected, by checking against the files' the attributes in the
-+database, the file has changed. "Benign" actions, like accessing a file
-+(remember directories are files too) may have changed it, but it may be part
-+of a breach of security. Please investigate.
-+<PRE>
-+
-+
-+
-+
-+
-+
-+
-+
-+
-+
-+</PRE><HR>
-+<A NAME="integ004w"><P><B>Code [integ004w]</B><P>
-+Integrit detected, by checking against the files' the attributes in the
-+database, the file has been removed. "Benign" configuration errors of the
-+database settings may lead to incorporation and checking of for instance
-+temporary files. Uninstalling software and related files may lead to the
-+same result when the database was not upgraded before this check.
-+If the removed file was not a temporary file and not part of legitimately
-+uninstalled software, it may have been used in a breach of security.
-+Please investigate.
-+<PRE>
-+
-+
-+
-+
-+
-+
-+
-+
-+
-+
-+</PRE><HR>
-+<A NAME="integ005w"><P><B>Code [integ005w]</B><P>
-+Integrit detected, by checking file against the database, the file was
-+not part of the database. "Benign" actions like installing software and
-+related files or changes in the configuration file may lead to this result
-+when the database was not upgraded before this check. If the removed file
-+was not part of legitimately installed software, it may be in use in a
-+breach of security.
-+Please investigate.
---- tiger-3.2.1.orig/html/known.html
-+++ tiger-3.2.1/html/known.html
+diff -ru tiger.orig/html/known.html tiger/html/known.html
+--- tiger.orig/html/known.html 2009-03-08 14:41:40.000000000 +0000
++++ tiger/html/known.html 2009-03-08 14:48:36.000000000 +0000
@@ -151,7 +151,7 @@
</PRE><HR>
<A NAME="kis009w"><P><B>Code [kis009w]</B><P>
@@ -2366,8 +2010,9 @@
+out in your /etc/inetd.conf. Intruders may turn on a service
+that you previously thought you had turned off, or replace
+the inetd program with a Trojan horse program.
---- tiger-3.2.1.orig/html/linux.html
-+++ tiger-3.2.1/html/linux.html
+diff -ru tiger.orig/html/linux.html tiger/html/linux.html
+--- tiger.orig/html/linux.html 2009-03-08 14:41:40.000000000 +0000
++++ tiger/html/linux.html 2009-03-08 14:48:36.000000000 +0000
@@ -207,11 +207,12 @@
The system is configured to accept ICMP redirects, this might or might
not be necessary in your network topology. If you have multiple routers
@@ -2454,8 +2099,9 @@
+use to specific local network IP addresses or hosts.
+If the system is multi-home a local firewall configuration will prevent
+spoofing attacks due to "weak end host" issues.
---- tiger-3.2.1.orig/html/logfiles.html
-+++ tiger-3.2.1/html/logfiles.html
+diff -ru tiger.orig/html/logfiles.html tiger/html/logfiles.html
+--- tiger.orig/html/logfiles.html 2009-03-08 14:41:40.000000000 +0000
++++ tiger/html/logfiles.html 2009-03-08 14:48:36.000000000 +0000
@@ -12,6 +12,8 @@
<A NAME="logf001f"><P><B>Code [logf001f]</B><P>
The log file "wtmp" should exist to show an audit trail of which user has
@@ -2535,8 +2181,9 @@
+different file for logging or if an intruder has tried to cover
+his tracks by removing it since the messages file might contain
+bad login attempts from local users and remote hosts.
---- tiger-3.2.1.orig/html/misc.html
-+++ tiger-3.2.1/html/misc.html
+diff -ru tiger.orig/html/misc.html tiger/html/misc.html
+--- tiger.orig/html/misc.html 2009-03-08 14:41:40.000000000 +0000
++++ tiger/html/misc.html 2009-03-08 14:48:36.000000000 +0000
@@ -163,8 +163,8 @@
@@ -2634,222 +2281,13 @@
+The script will not be run since it is not executable. This might be a problem
+with the installation of Tiger so you should recheck the script's file owner
+and permissions.
---- tiger-3.2.1.orig/html/ndd.html
-+++ tiger-3.2.1/html/ndd.html
-@@ -0,0 +1,207 @@
-+<HR><PRE>
-+
-+
-+
-+
-+
-+
-+
-+
-+</PRE><HR>
-+<CENTER><H2> Documents for ndd</H2></CENTER>
-+<A NAME="ndd001f"><P><B>Code [ndd001f]</B><P>
-+This option determines whether to forward broadcast packets directed
-+to a specific net or subnet, if that net or subnet is directly
-+connected to the machine. If the system is acting as a router, this
-+option can be exploited to generate a great deal of broadcast network
-+traffic. Turning this option off will help prevent broadcast traffic
-+attacks.
-+To disable this do:
-+# ndd -set /dev/ip ip_forward_directed_broadcasts 0
-+<PRE>
-+
-+
-+
-+
-+
-+
-+
-+
-+
-+
-+</PRE><HR>
-+<A NAME="ndd002f"><P><B>Code [ndd002f]</B><P>
-+This option determines whether to forward packets that are source
-+routed. These packets define the path the packet should take instead
-+of allowing network routers to define the path.
-+To disable this do:
-+# ndd -set /dev/ip ip_forward_src_routed 0
-+<PRE>
-+
-+
-+
-+
-+
-+
-+
-+
-+
-+
-+</PRE><HR>
-+<A NAME="ndd003w"><P><B>Code [ndd003w]</B><P>
-+IP forwarding is the option that permits the system to act as a router
-+and thus resend packets from one network interface to another. If your
-+system is not acting as such this option should be disabled.
-+To disable this do:
-+# ndd -set /dev/ip ip_forwarding 0
-+<PRE>
-+
-+
-+
-+
-+
-+
-+
-+
-+
-+
-+</PRE><HR>
-+<A NAME="ndd004f"><P><B>Code [ndd004f]</B><P>
-+The echo-request PMTU strategy can be used for amplification attacks.
-+Use either strategy 1 or strategy 0.
-+To disable this do:
-+# ndd -set /dev/ip ip_pmtu_straegy [0|1]
-+<PRE>
-+
-+
-+
-+
-+
-+
-+
-+
-+
-+
-+</PRE><HR>
-+<A NAME="ndd005w"><P><B>Code [ndd005w]</B><P>
-+This option determines whether to send ICMP redirect messages which
-+can introduce changes into remote system's routing table. It should
-+only be used on systems that act as routers.
-+To disable this do:
-+# ndd -set /dev/ip ip_send_redirects 0
-+<PRE>
-+
-+
-+
-+
-+
-+
-+
-+
-+
-+
-+</PRE><HR>
-+<A NAME="ndd006w"><P><B>Code [ndd006w]</B><P>
-+The system is configured to send ICMP source quench messages. These
-+ICMP messages have been deprecated.
-+To disable this do:
-+# ndd -set /dev/ip ip_send_source_sqench 0
-+<PRE>
-+
-+
-+
-+
-+
-+
-+
-+
-+
-+
-+</PRE><HR>
-+<A NAME="ndd007f"><P><B>Code [ndd007f]</B><P>
-+This options determines whether to respond to ICMP netmask requests
-+which are typically sent by diskless clients when booting. An
-+attacker may use the netmask information for determining network
-+topology or the broadcast address for the subnet.
-+To disable this do:
-+# ndd -set /dev/ip ip_respond_to_address_mask_broadcast 0
-+<PRE>
-+
-+
-+
-+
-+
-+
-+
-+
-+
-+
-+</PRE><HR>
-+<A NAME="ndd008f"><P><B>Code [ndd008f]</B><P>
-+This option determines whether to respond to ICMP broadcast echo
-+requests (ping). An attacker may try to create a denial of service
-+attack on subnets by sending many broadcast echo requests to which all
-+systems will respond. This also provides information on systems that
-+are available on the network.
-+To disable this do:
-+# ndd -set /dev/ip ip_respond_to_echo_broadcast 0
-+<PRE>
-+
-+
-+
-+
-+
-+
-+
-+
-+
-+
-+</PRE><HR>
-+<A NAME="ndd009f"><P><B>Code [ndd009f]</B><P>
-+This option determines whether to respond to ICMP broadcast timestamp
-+requests which are used to discover the time on all systems in the
-+broadcast range. This option is dangerous for the same reasons as
-+responding to a single timestamp request. Additionally, an attacker
-+may try to create a denial of service attack by generating many
-+broadcast timestamp requests.
-+To disable this do:
-+# ndd -set /dev/ip ip_respond_to_timestamp_broadcast 0
-+<PRE>
-+
-+
-+
-+
-+
-+
-+
-+
-+
-+
-+</PRE><HR>
-+<A NAME="ndd010f"><P><B>Code [ndd010f]</B><P>
-+This option determines whether to respond to ICMP timestamp requests
-+which some systems use to discover the time on a remote system. An
-+attacker may use the time information to schedule an attack at a
-+period of time when the system may run a cron job (or other time-
-+based event) or otherwise be busy. It may also be possible predict
-+ID or sequence numbers that are based on the time of day for spoofing
-+services.
-+# ndd -set /dev/ip ip_respond_to_timestamp 0
-+<PRE>
-+
-+
-+
-+
-+
-+
-+
-+
-+
-+
-+</PRE><HR>
-+<A NAME="ndd011w"><P><B>Code [ndd011w]</B><P>
-+This option determines if HP-UX will include explanatory text in the
-+RST segment it sends. This text is helpful for debugging, but is also
-+useful to potential intruders.
-+To disable this do:
-+# ndd -set /dev/tcp tcp_text_in_resets 0
---- tiger-3.2.1.orig/html/netrc.html
-+++ tiger-3.2.1/html/netrc.html
-@@ -67,3 +67,19 @@
- that an intrusion has occurred. The directory should be examined
- for unusual files. The system should also be checked for other
- signs of intrusion. The directory should be renamed or removed.
+diff -ru tiger.orig/html/netrc.html tiger/html/netrc.html
+--- tiger.orig/html/netrc.html 2009-03-08 14:41:40.000000000 +0000
++++ tiger/html/netrc.html 2009-03-08 14:48:36.000000000 +0000
+@@ -67,3 +67,19 @@
+ that an intrusion has occurred. The directory should be examined
+ for unusual files. The system should also be checked for other
+ signs of intrusion. The directory should be renamed or removed.
+<PRE>
+
+
@@ -2866,8 +2304,9 @@
+The user has a .netrc file, you should avoid usage of these files unless
+absolutely necessary since they can contain sensible information which
+could be used by a local intruder.
---- tiger-3.2.1.orig/html/network.html
-+++ tiger-3.2.1/html/network.html
+diff -ru tiger.orig/html/network.html tiger/html/network.html
+--- tiger.orig/html/network.html 2009-03-08 14:41:40.000000000 +0000
++++ tiger/html/network.html 2009-03-08 14:48:36.000000000 +0000
@@ -10,7 +10,7 @@
</PRE><HR>
<CENTER><H2> Documents for network</H2></CENTER>
@@ -2886,8 +2325,9 @@
based, add the 'filelog' or 'syslog' options in /etc/sysconfig/xinetd
configuration file.
<PRE>
---- tiger-3.2.1.orig/html/passwd.html
-+++ tiger-3.2.1/html/passwd.html
+diff -ru tiger.orig/html/passwd.html tiger/html/passwd.html
+--- tiger.orig/html/passwd.html 2009-03-08 14:41:40.000000000 +0000
++++ tiger/html/passwd.html 2009-03-08 14:48:36.000000000 +0000
@@ -135,7 +135,7 @@
@@ -3062,8 +2502,9 @@
+indicates the specified login ID has its cypher text publicly available
+and is subject to brute force password cracking, even though shadow
+passwords are implimented on the system.
---- tiger-3.2.1.orig/html/paths.html
-+++ tiger-3.2.1/html/paths.html
+diff -ru tiger.orig/html/paths.html tiger/html/paths.html
+--- tiger.orig/html/paths.html 2009-03-08 14:41:40.000000000 +0000
++++ tiger/html/paths.html 2009-03-08 14:48:36.000000000 +0000
@@ -32,9 +32,13 @@
executables and spread by `root'. Often these executables are owned by
`bin', `uucp' or other system accounts. If these commands are never
@@ -3080,8 +2521,9 @@
<PRE>
---- tiger-3.2.1.orig/html/pcap.html
-+++ tiger-3.2.1/html/pcap.html
+diff -ru tiger.orig/html/pcap.html tiger/html/pcap.html
+--- tiger.orig/html/pcap.html 2009-03-08 14:41:40.000000000 +0000
++++ tiger/html/pcap.html 2009-03-08 14:48:36.000000000 +0000
@@ -73,6 +73,6 @@
</PRE><HR>
@@ -3090,8 +2532,9 @@
+The indicated executable associated with a printer control has
group or world write permissions. This may represent a security
vulnerability, as it may be possible to replace the executable.
---- tiger-3.2.1.orig/html/permissions.html
-+++ tiger-3.2.1/html/permissions.html
+diff -ru tiger.orig/html/permissions.html tiger/html/permissions.html
+--- tiger.orig/html/permissions.html 2009-03-08 14:41:40.000000000 +0000
++++ tiger/html/permissions.html 2009-03-08 14:48:36.000000000 +0000
@@ -528,3 +528,101 @@
loss of 'arp -a' functionality for a normal user account. (On SunOS 5.x
systems, even this functionality isn't lost... there is no reason for
@@ -3194,8 +2637,9 @@
+Since this file provides control over user access, if this file
+is writable by non-root users, then unauthorized access or privileges
+may be obtained.
---- tiger-3.2.1.orig/html/pxt.html
-+++ tiger-3.2.1/html/pxt.html
+diff -ru tiger.orig/html/pxt.html tiger/html/pxt.html
+--- tiger.orig/html/pxt.html 2009-03-08 14:41:40.000000000 +0000
++++ tiger/html/pxt.html 2009-03-08 14:48:36.000000000 +0000
@@ -9,7 +9,7 @@
</PRE><HR>
@@ -3341,8 +2785,9 @@
-upgraded, removed or tampered with. If this modification is legitmate
+upgraded, removed or tampered with. If this modification is legitimate
please refresh the tripwire database by running "tripwire --update"
---- tiger-3.2.1.orig/html/rhosts.html
-+++ tiger-3.2.1/html/rhosts.html
+diff -ru tiger.orig/html/rhosts.html tiger/html/rhosts.html
+--- tiger.orig/html/rhosts.html 2009-03-08 14:41:40.000000000 +0000
++++ tiger/html/rhosts.html 2009-03-08 14:48:36.000000000 +0000
@@ -173,7 +173,7 @@
@@ -3417,8 +2862,9 @@
+Consider removing the 'r' commands altogether and use safer replacements
+commands, including public-key cryptography programs
+(such as SSH implementations)
---- tiger-3.2.1.orig/html/rootdir.html
-+++ tiger-3.2.1/html/rootdir.html
+diff -ru tiger.orig/html/rootdir.html tiger/html/rootdir.html
+--- tiger.orig/html/rootdir.html 2009-03-08 14:41:40.000000000 +0000
++++ tiger/html/rootdir.html 2009-03-08 14:48:36.000000000 +0000
@@ -10,8 +10,9 @@
</PRE><HR>
<CENTER><H2> Documents for rootdir</H2></CENTER>
@@ -3450,120 +2896,9 @@
+</PRE><HR>
+<A NAME="rootdir003f"><P><B>Code [rootdir003f]</B><P>
+The ownership of the root directory is not secure.
---- tiger-3.2.1.orig/html/rootkit.html
-+++ tiger-3.2.1/html/rootkit.html
-@@ -0,0 +1,109 @@
-+<HR><PRE>
-+
-+
-+
-+
-+
-+
-+
-+
-+</PRE><HR>
-+<CENTER><H2> Documents for rootkit</H2></CENTER>
-+<A NAME="rootkit001f"><P><B>Code [rootkit001f]</B><P>
-+A test was run on the 'ls' command to determine if it 'sees'
-+certain pathnames (e.g., '...','bnc','war',etc). Tiger creates
-+a temporary directory, creates files with known hacker program
-+names/directories, and attempts an 'ls'. If the 'ls' does not
-+recognize the file, a FAIL is issued
-+<PRE>
-+
-+
-+
-+
-+
-+
-+
-+
-+
-+
-+</PRE><HR>
-+<A NAME="rootkit002f"><P><B>Code [rootkit002f]</B><P>
-+A test was run on the 'find' command to determine if it 'sees'
-+certain pathnames (e.g., '...','bnc','war',etc). Tiger creates
-+a temporary directory, creates files with known hacker program
-+names/directories, and attempts an 'find'. If the 'find' does
-+not recognize the file, a FAIL is issued.
-+<PRE>
-+
-+
-+
-+
-+
-+
-+
-+
-+
-+
-+</PRE><HR>
-+<A NAME="rootkit003w"><P><B>Code [rootkit003w]</B><P>
-+The 'chkrootkit' program has detected a suspicious directory
-+which might be an indication of an intrusion.
-+A full analysis of the system is recommended to determine the
-+presence of further signs of intrusion since a rootkit might have
-+been installed.
-+<PRE>
-+
-+
-+
-+
-+
-+
-+
-+
-+
-+
-+</PRE><HR>
-+<A NAME="rootkit004w"><P><B>Code [rootkit004w]</B><P>
-+The 'chkrootkit' program has detected a possible rootkit installation
-+A full analysis of the system is recommended to determine the
-+presence of further signs of intrusion since a rootkit might have
-+been installed.
-+<PRE>
-+
-+
-+
-+
-+
-+
-+
-+
-+
-+
-+</PRE><HR>
-+<A NAME="rootkit005a"><P><B>Code [rootkit005a]</B><P>
-+The 'chkrootkit' program has detected a rootkit installation
-+A full analysis of the system is recommended to determine the
-+presence of further signs of intrusion and to determine if the
-+rootkit is indeed installed.
-+<PRE>
-+
-+
-+
-+
-+
-+
-+
-+
-+
-+
-+</PRE><HR>
-+<A NAME="rootkit006a"><P><B>Code [rootkit006a]</B><P>
-+A rootkit is installed by intruders in systems which have been
-+successfully compromised and in which they have obtained full
-+administrator privileges. The installation of a rootkit is
-+an indication of a major system compromise.
-+<P>
-+If the installation of a rootkit is confirmed you are encouraged
-+to power off the system and follow the steps outlined by
-+Steps for Recovering from a UNIX or NT System Compromise
-+(http://www.cert.org/tech_tips/root_compromise.html)
---- tiger-3.2.1.orig/html/root.html
-+++ tiger-3.2.1/html/root.html
+diff -ru tiger.orig/html/root.html tiger/html/root.html
+--- tiger.orig/html/root.html 2009-03-08 14:41:40.000000000 +0000
++++ tiger/html/root.html 2009-03-08 14:48:36.000000000 +0000
@@ -43,5 +43,5 @@
</PRE><HR>
<A NAME="root003w"><P><B>Code [root003w]</B><P>
@@ -3571,8 +2906,9 @@
-could lead to inadvertant modification of files with the root user is
+could lead to inadvertent modification of files with the root user is
logged in.
---- tiger-3.2.1.orig/html/signature.html
-+++ tiger-3.2.1/html/signature.html
+diff -ru tiger.orig/html/signature.html tiger/html/signature.html
+--- tiger.orig/html/signature.html 2009-03-08 14:41:40.000000000 +0000
++++ tiger/html/signature.html 2009-03-08 14:48:36.000000000 +0000
@@ -424,3 +424,25 @@
field when changing the password. As a result, the 'root' account has a
null password field, allowing anyone to remote shell in as root. To fix
@@ -3599,126 +2935,9 @@
+http://sunsolve.sun.com/pub-cgi/patchDownload.pl?target=patchdiag.xref&method=H
+<P>
+Once downloaded, place it in the configuration directory and rerun the script.
---- tiger-3.2.1.orig/html/ssh.html
-+++ tiger-3.2.1/html/ssh.html
-@@ -0,0 +1,80 @@
-+<HR><PRE>
-+
-+
-+
-+
-+
-+
-+
-+
-+</PRE><HR>
-+<CENTER><H2> Documents for ssh</H2></CENTER>
-+<A NAME="ssh001w"><P><B>Code [ssh001w]</B><P>
-+The Protocol directive in the sshd_config file is not in the
-+allowed protocol list.
-+<PRE>
-+
-+
-+
-+
-+
-+
-+
-+
-+
-+
-+</PRE><HR>
-+<A NAME="ssh002w"><P><B>Code [ssh002w]</B><P>
-+The PermitRootLogin directive is not in the allowed methods
-+list. This directive controls how root is allowed to use SSH.
-+Valid options are: yes, without-password, forced-commands-only,
-+and no.
-+<PRE>
-+
-+
-+
-+
-+
-+
-+
-+
-+
-+
-+</PRE><HR>
-+<A NAME="ssh003w"><P><B>Code [ssh003w]</B><P>
-+The RhostsAuthentication directive determines if .rhosts or
-+/etc/hosts.equiv is sufficient authentication. This option
-+only applies to protocol version 1 and is generally believed
-+to be insecure.
-+<PRE>
-+
-+
-+
-+
-+
-+
-+
-+
-+
-+
-+</PRE><HR>
-+<A NAME="ssh004w"><P><B>Code [ssh004w]</B><P>
-+The PasswordAuthentication directive determines if passwords
-+are a sufficient authentication.
-+<PRE>
-+
-+
-+
-+
-+
-+
-+
-+
-+
-+
-+</PRE><HR>
-+<A NAME="ssh005e"><P><B>Code [ssh005e]</B><P>
-+The variable SSHD_CONFIG is not defined which means that you have
-+not setup (or the system has been enable to find) your SSH configuration
-+files. You should setup that variable in your site-`hostname`
-+configuration file.
---- tiger-3.2.1.orig/README.hostids
-+++ tiger-3.2.1/README.hostids
-@@ -14,7 +14,7 @@
- policy template for the module or a previous run to check against,
- if available. Only messages not reported before (or not in the policy
- will be checked against)
--3.- The report (wether full or differential) is sent through e-mail
-+3.- The report (whether full or differential) is sent through e-mail
- to the address configured at 'Tiger_Mail_RCPT'
-
- Tiger can be configured so that it is run as a cron job hourly.
-@@ -42,6 +42,7 @@
- - an integrity checker such as Tripwire (or a replacement like Aide).
- - a logchecker (like logcheck) to look for security information in the
- log files.
-+- an specific tool to detect rootkits: chkrootkit
- - (maybe) a Network IDS such as Snort.
- - (maybe) a portscanner detection such as portsentry, scanlogd,
- scandetd or psad (provided by Bastille)
-@@ -64,10 +65,13 @@
- a) just use GPG/PGP to sign or encrypt the e-mails. You need however
- to place a private key in the agent (and it could be compromised)
- b) use a VPN tunnel between agents and the mailserver. This could
-- be done either using a permament SSH tunnel, an Ipsec VPN...
-+ be done either using a permanent SSH tunnel, an Ipsec VPN...
-
- 2.- there is no such thing (currently) as a Tiger Server, unlike other
--HIDS (If anyone wants to write one please say so :) so there's no way to:
-+HIDS (If anyone wants to write one please say so :) so there's no way to
-+receive all the alerts in a single place and correlate them.
-+Note: in the contrib directory you will find the 'secauditdb' program
-+(not yet integrated into Tiger) which does just this.
-
- 3.- Tiger reports are not protected in anyway save for standard UNIX
- permissions. This means that if the server Tiger is running in is
---- tiger-3.2.1.orig/man/tiger.8.in
-+++ tiger-3.2.1/man/tiger.8.in
+diff -ru tiger.orig/man/tiger.8.in tiger/man/tiger.8.in
+--- tiger.orig/man/tiger.8.in 2009-03-08 14:41:39.000000000 +0000
++++ tiger/man/tiger.8.in 2009-03-08 14:48:36.000000000 +0000
@@ -2,7 +2,24 @@
.SH NAME
tiger \- UNIX Security Checker
@@ -3782,10 +3001,10 @@
+.I README.ignore
+document.
+.SH OPTIONS
++.TP
++The following arguments can be used when calling the program:
.TP
-.I "\-B tigerdir"
-+The following arguments can be used when calling the program:
-+.TP
+.BI "\-B " tigerdir
Specify the directory where
-.I tiger
@@ -4244,7 +3463,7 @@
.B lot
@@ -359,12 +440,10 @@
The modifications for the Debian GNU/Linux operating system have been made
- by Javier Fernandez-Sanguino Peña <jfs at computer.org>, including a number of
+ by Javier Fernandez-Sanguino Peña <jfs at computer.org>, including a number of
checks for the GNU/Linux
-operating systems (
-.B check_listeningprocs
@@ -4260,8 +3479,92 @@
-.B deb_nopackfiles
-).
+.BR deb_nopackfiles ).
---- tiger-3.2.1.orig/man/tigexp.8
-+++ tiger-3.2.1/man/tigexp.8
+diff -ru tiger.orig/man/tigercron.8.in tiger/man/tigercron.8.in
+--- tiger.orig/man/tigercron.8.in 2009-03-08 14:41:39.000000000 +0000
++++ tiger/man/tigercron.8.in 2009-03-08 14:48:36.000000000 +0000
+@@ -2,39 +2,47 @@
+ .SH NAME
+ tigercron \- Cron utility for Tiger UNIX Security Checker
+ .SH SYNOPSIS
+-.B "tigercron [-B basedir] [..tigeroptions..] [controlfile] "
++.B tigercron
++.RI [ controlfile ]
++.RB [ -B
++.IR basedir ]
++.RI [ tigeroptions ...]
+ .LP
+ .SH DESCRIPTION
+ .LP
+-Tigercron is used to run periodically checks from the Tiger
++\fBTigercron\fR is used to run periodically checks from the Tiger
+ UNIX Security Checker. \fBTigercron\fR reads a control file
+-which is located in '@tigerconfigdir@/cronrc'. The format
+-of this control file is the same as for the \fBcron\fR program, each
++which is usually located in '@tigerconfigdir@/cronrc' although it
++can also be specificied as the first argument when calling the program.
++The format of this control file is the same as for the \fBcron\fR program, each
+ line indicates when different checks from \fBTiger\fR will be run.
++The user can indicate where Tiger is installed through the
++\fB-B basedir\fR parameter, any other additional options provided
++in the command line will be passed on to configure to configure \fBTiger\fR
++based on them (as described in \fBtiger (8)\fR).
+
+ \fBTigercron\fR runs the specified checks and compares their reports
+ with previous stored reports (under @tigerlogdir@). It will then
+-mail the user defined in the '@tigerconfigdir@/cronrc'
++mail the user defined in '@tigerconfigdir@/tigerrc'
+ (\fITiger_Mail_RCPT\fR) the results.
+
+ When a module is run, \fBtigercron\fR checks:
+-
+-.PP
+-* If \fITiger_Cron_Template\fR is set to Y in tigerrc. If it is, it checks
++.IP \(bu 4
++If \fITiger_Cron_Template\fR is set to Y in tigerrc. If it is, it checks
+ if there is a template stating which are the expected results.
+-.PP
+-* If \fITiger_Cron_CheckPrev\fR is set to Y in tigerrc. If it is, it checks
++.IP \(bu 4
++If \fITiger_Cron_CheckPrev\fR is set to Y in tigerrc. If it is, it checks
+ if there is a previous run of the module it can check against.
+-
++.PP
+ A differential report is generated depending on the module reports
+ and previous run and is sent through e-mail. These reports
+-provides an easy way to detect intrusions even if no configuration
++provide an easy way to detect intrusions even if no configuration
+ of templates has been done. In the event of an intrusion a \fBTiger\fR
+ check might detect something specific (file changes, new processes,
+ new users, etc.) and this alert mechanism provides a way to turn
+ \fBTiger\fR into a Host Intrusion Detection System (HIDS).
+
+-The hability of it to work as a proper HIDS is based on a good customization
++The ability of it to work as a proper HIDS is based on a good customization
+ of the cronrc file. Modules that check events to which the host is
+ most exposed to should be run often in order to detect deviations
+ from normal behaviour.
+@@ -64,15 +72,15 @@
+ .B Tiger
+ scripts to create temporary files.
+ .SH SEE ALSO
+-tigexp(8), tiger(8), cron(8), crontab(5)
++.BR tigexp (8), tiger (8), cron (8), crontab (5)
+
+-The deficiencies of using \fBtigercron\fR as a HID are described in the
++The deficiencies of using \fBtigercron\fR as a HIDS are described in the
+ file README.hostids which is provided with the package. In Debian
+ GNU/Linux you will find this (and other related) documentation at
+ /usr/share/doc/tiger/
+ .SH BUGS
+ Currently \fBTigercron\fR has only one alert mechanism (mail) and signatures
+ are not supported. Thus, alerts could be faked. Also, it is dependant
+-on \fBcron\fR and will not work if its not working.
++on \fBcron\fR and will not work if \fBcron\fR is not working.
+ .SH AUTHOR
+ This manpage was written by Javier Fernandez-Sanguino.
+diff -ru tiger.orig/man/tigexp.8 tiger/man/tigexp.8
+--- tiger.orig/man/tigexp.8 2009-03-08 14:41:39.000000000 +0000
++++ tiger/man/tigexp.8 2009-03-08 14:48:36.000000000 +0000
@@ -2,73 +2,82 @@
.SH NAME
tigexp \- UNIX Security Checker Explanation Generator
@@ -4385,90 +3688,9 @@
.LP
.SH BUGS
If the explanation index is out of date, it doesn't recognize it
---- tiger-3.2.1.orig/man/tigercron.8.in
-+++ tiger-3.2.1/man/tigercron.8.in
-@@ -2,39 +2,47 @@
- .SH NAME
- tigercron \- Cron utility for Tiger UNIX Security Checker
- .SH SYNOPSIS
--.B "tigercron [-B basedir] [..tigeroptions..] [controlfile] "
-+.B tigercron
-+.RI [ controlfile ]
-+.RB [ -B
-+.IR basedir ]
-+.RI [ tigeroptions ...]
- .LP
- .SH DESCRIPTION
- .LP
--Tigercron is used to run periodically checks from the Tiger
-+\fBTigercron\fR is used to run periodically checks from the Tiger
- UNIX Security Checker. \fBTigercron\fR reads a control file
--which is located in '@tigerconfigdir@/cronrc'. The format
--of this control file is the same as for the \fBcron\fR program, each
-+which is usually located in '@tigerconfigdir@/cronrc' although it
-+can also be specificied as the first argument when calling the program.
-+The format of this control file is the same as for the \fBcron\fR program, each
- line indicates when different checks from \fBTiger\fR will be run.
-+The user can indicate where Tiger is installed through the
-+\fB-B basedir\fR parameter, any other additional options provided
-+in the command line will be passed on to configure to configure \fBTiger\fR
-+based on them (as described in \fBtiger (8)\fR).
-
- \fBTigercron\fR runs the specified checks and compares their reports
- with previous stored reports (under @tigerlogdir@). It will then
--mail the user defined in the '@tigerconfigdir@/cronrc'
-+mail the user defined in '@tigerconfigdir@/tigerrc'
- (\fITiger_Mail_RCPT\fR) the results.
-
- When a module is run, \fBtigercron\fR checks:
--
--.PP
--* If \fITiger_Cron_Template\fR is set to Y in tigerrc. If it is, it checks
-+.IP \(bu 4
-+If \fITiger_Cron_Template\fR is set to Y in tigerrc. If it is, it checks
- if there is a template stating which are the expected results.
--.PP
--* If \fITiger_Cron_CheckPrev\fR is set to Y in tigerrc. If it is, it checks
-+.IP \(bu 4
-+If \fITiger_Cron_CheckPrev\fR is set to Y in tigerrc. If it is, it checks
- if there is a previous run of the module it can check against.
--
-+.PP
- A differential report is generated depending on the module reports
- and previous run and is sent through e-mail. These reports
--provides an easy way to detect intrusions even if no configuration
-+provide an easy way to detect intrusions even if no configuration
- of templates has been done. In the event of an intrusion a \fBTiger\fR
- check might detect something specific (file changes, new processes,
- new users, etc.) and this alert mechanism provides a way to turn
- \fBTiger\fR into a Host Intrusion Detection System (HIDS).
-
--The hability of it to work as a proper HIDS is based on a good customization
-+The ability of it to work as a proper HIDS is based on a good customization
- of the cronrc file. Modules that check events to which the host is
- most exposed to should be run often in order to detect deviations
- from normal behaviour.
-@@ -64,15 +72,15 @@
- .B Tiger
- scripts to create temporary files.
- .SH SEE ALSO
--tigexp(8), tiger(8), cron(8), crontab(5)
-+.BR tigexp (8), tiger (8), cron (8), crontab (5)
-
--The deficiencies of using \fBtigercron\fR as a HID are described in the
-+The deficiencies of using \fBtigercron\fR as a HIDS are described in the
- file README.hostids which is provided with the package. In Debian
- GNU/Linux you will find this (and other related) documentation at
- /usr/share/doc/tiger/
- .SH BUGS
- Currently \fBTigercron\fR has only one alert mechanism (mail) and signatures
- are not supported. Thus, alerts could be faked. Also, it is dependant
--on \fBcron\fR and will not work if its not working.
-+on \fBcron\fR and will not work if \fBcron\fR is not working.
- .SH AUTHOR
- This manpage was written by Javier Fernandez-Sanguino.
---- tiger-3.2.1.orig/README
-+++ tiger-3.2.1/README
+diff -ru tiger.orig/README tiger/README
+--- tiger.orig/README 2009-03-08 14:41:40.000000000 +0000
++++ tiger/README 2009-03-08 14:48:36.000000000 +0000
@@ -37,7 +37,7 @@
Mailing lists
-------------
@@ -4490,8 +3712,45 @@
an unstable release and included some new checks, a new autoconf script
for automatic configuration, but mostly included fixes from
bugs found after testing Tiger in Debian GNU/Linux and in other
---- tiger-3.2.1.orig/README.logo
-+++ tiger-3.2.1/README.logo
+diff -ru tiger.orig/README.hostids tiger/README.hostids
+--- tiger.orig/README.hostids 2009-03-08 14:41:39.000000000 +0000
++++ tiger/README.hostids 2009-03-08 14:48:36.000000000 +0000
+@@ -14,7 +14,7 @@
+ policy template for the module or a previous run to check against,
+ if available. Only messages not reported before (or not in the policy
+ will be checked against)
+-3.- The report (wether full or differential) is sent through e-mail
++3.- The report (whether full or differential) is sent through e-mail
+ to the address configured at 'Tiger_Mail_RCPT'
+
+ Tiger can be configured so that it is run as a cron job hourly.
+@@ -42,6 +42,7 @@
+ - an integrity checker such as Tripwire (or a replacement like Aide).
+ - a logchecker (like logcheck) to look for security information in the
+ log files.
++- an specific tool to detect rootkits: chkrootkit
+ - (maybe) a Network IDS such as Snort.
+ - (maybe) a portscanner detection such as portsentry, scanlogd,
+ scandetd or psad (provided by Bastille)
+@@ -64,10 +65,13 @@
+ a) just use GPG/PGP to sign or encrypt the e-mails. You need however
+ to place a private key in the agent (and it could be compromised)
+ b) use a VPN tunnel between agents and the mailserver. This could
+- be done either using a permament SSH tunnel, an Ipsec VPN...
++ be done either using a permanent SSH tunnel, an Ipsec VPN...
+
+ 2.- there is no such thing (currently) as a Tiger Server, unlike other
+-HIDS (If anyone wants to write one please say so :) so there's no way to:
++HIDS (If anyone wants to write one please say so :) so there's no way to
++receive all the alerts in a single place and correlate them.
++Note: in the contrib directory you will find the 'secauditdb' program
++(not yet integrated into Tiger) which does just this.
+
+ 3.- Tiger reports are not protected in anyway save for standard UNIX
+ permissions. This means that if the server Tiger is running in is
+diff -ru tiger.orig/README.logo tiger/README.logo
+--- tiger.orig/README.logo 2009-03-08 14:41:40.000000000 +0000
++++ tiger/README.logo 2009-03-08 14:48:36.000000000 +0000
@@ -3,9 +3,9 @@
------------
@@ -4504,8 +3763,9 @@
( http://savannah.nongnu.org/forum/forum.php?forum_id=1270),
and the winner was a logo provided by OpenGraphics
(http://www.coresis.com/opengraphics). The logo is available in the
---- tiger-3.2.1.orig/README.signatures
-+++ tiger-3.2.1/README.signatures
+diff -ru tiger.orig/README.signatures tiger/README.signatures
+--- tiger.orig/README.signatures 2009-03-08 14:41:39.000000000 +0000
++++ tiger/README.signatures 2009-03-08 14:48:36.000000000 +0000
@@ -20,7 +20,7 @@
system you can use the scripts 'util/mksig' and 'util/mkfilelst' which
will, respectively, create a signatures.$OS-$REV-$ARCH and
@@ -4515,8 +3775,9 @@
rename them to 'signatures' and 'file_access_list')
You can retrieve updated signatures (MD5 and SHA-1 signatures) from
---- tiger-3.2.1.orig/README.sources
-+++ tiger-3.2.1/README.sources
+diff -ru tiger.orig/README.sources tiger/README.sources
+--- tiger.orig/README.sources 2009-03-08 14:41:40.000000000 +0000
++++ tiger/README.sources 2009-03-08 14:48:36.000000000 +0000
@@ -14,6 +14,14 @@
are dated) I still need to read the third edition though
(http://www.oreilly.com/catalog/puis3/)
@@ -5086,8 +4347,9 @@
-vold.sh
-x-nolisten.sh
-ziplock.sh
---- tiger-3.2.1.orig/README.writemodules
-+++ tiger-3.2.1/README.writemodules
+diff -ru tiger.orig/README.writemodules tiger/README.writemodules
+--- tiger.orig/README.writemodules 2009-03-08 14:41:40.000000000 +0000
++++ tiger/README.writemodules 2009-03-08 14:48:36.000000000 +0000
@@ -27,7 +27,7 @@
After this check the core of the script is written. The core includes
@@ -5108,33 +4370,9 @@
must include the message verbose description of the issue into the files
(shown below). User's will be able to retrieve this information if
they execute 'tigexp codeword'. Codewords are usually three letters followed
---- tiger-3.2.1.orig/check.d/README
-+++ tiger-3.2.1/check.d/README
-@@ -0,0 +1,22 @@
-+#
-+# tiger - A UN*X security checking system
-+# Copyright (C) 1993 Douglas Lee Schales, David K. Hess, David R. Safford
-+#
-+# This program is free software; you can redistribute it and/or modify
-+# it under the terms of the GNU General Public License as published by
-+# the Free Software Foundation; either version 1, or (at your option)
-+# any later version.
-+#
-+# This program is distributed in the hope that it will be useful,
-+# but WITHOUT ANY WARRANTY; without even the implied warranty of
-+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-+# GNU General Public License for more details.
-+#
-+# Please see the file `COPYING' for the complete copyright notice.
-+#
-+#-----------------------------------------------------------------------------
-+#
-+# This directory is available for other packages to drop in additional check
-+# scripts that will be run during the check_system security check.
-+#
-+# Files in this directory should contain one script name per line.
---- tiger-3.2.1.orig/tiger.in
-+++ tiger-3.2.1/tiger.in
+diff -ru tiger.orig/tiger.in tiger/tiger.in
+--- tiger.orig/tiger.in 2009-03-08 14:41:40.000000000 +0000
++++ tiger/tiger.in 2009-03-08 14:48:36.000000000 +0000
@@ -38,7 +38,7 @@
echo "Tiger UN*X security checking system"
echo " Developed by Texas A&M University, 1994"
@@ -5144,8 +4382,9 @@
echo " Covered by the GNU General Public License (GPL)"
echo
TigerInstallDir="@tigerhome@"
---- tiger-3.2.1.orig/tigexp
-+++ tiger-3.2.1/tigexp
+diff -ru tiger.orig/tigexp tiger/tigexp
+--- tiger.orig/tigexp 2009-03-08 14:41:39.000000000 +0000
++++ tiger/tigexp 2009-03-08 14:48:36.000000000 +0000
@@ -19,7 +19,7 @@
# tigexp - 05/23/2003 - changed so that it is managed by autoconf
#
@@ -5155,8 +4394,9 @@
#
#-----------------------------------------------------------------------------
TigerInstallDir="."
---- tiger-3.2.1.orig/TODO
-+++ tiger-3.2.1/TODO
+diff -ru tiger.orig/TODO tiger/TODO
+--- tiger.orig/TODO 2009-03-08 14:41:40.000000000 +0000
++++ tiger/TODO 2009-03-08 14:48:36.000000000 +0000
@@ -1,4 +1,3 @@
-
Note: the up-to-date TODO list is maintained through Savannah's Task Manager
@@ -5347,8 +4587,9 @@
--- Javier Fernandez-Sanguino Pen~a <jfs at computer.org>
---- tiger-3.2.1.orig/USING
-+++ tiger-3.2.1/USING
+diff -ru tiger.orig/USING tiger/USING
+--- tiger.orig/USING 2009-03-08 14:41:40.000000000 +0000
++++ tiger/USING 2009-03-08 14:48:36.000000000 +0000
@@ -72,7 +72,7 @@
there *is* new information.
@@ -5358,4 +4599,3 @@
if your intention is to use Tiger in this way.
------------------------------------------------------------------------
-
Index: tiger.spec
===================================================================
RCS file: /cvs/pkgs/rpms/tiger/devel/tiger.spec,v
retrieving revision 1.6
retrieving revision 1.7
diff -u -r1.6 -r1.7
--- tiger.spec 25 Feb 2009 20:42:05 -0000 1.6
+++ tiger.spec 8 Mar 2009 15:23:30 -0000 1.7
@@ -1,6 +1,6 @@
Name: tiger
Version: 3.2.1
-Release: 9%{?dist}
+Release: 10%{?dist}
Summary: Security auditing on UNIX systems
Group: Applications/System
@@ -115,6 +115,9 @@
%changelog
+* Sun Mar 08 2009 Caolán McNamara <caolanm at redhat.com> 3.2.1-10
+- defuzz patches to rebuild
+
* Wed Feb 25 2009 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 3.2.1-9
- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
- Previous message (by thread): rpms/python-oasa/devel .cvsignore, 1.4, 1.5 import.log, 1.3, 1.4 python-oasa.spec, 1.4, 1.5 sources, 1.4, 1.5
- Next message (by thread): rpms/abrt/devel abrt-0.0.1-newenum.patch, NONE, 1.1 abrt.spec, 1.2, 1.3
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list