The Sun Observer, Volume 10 No.8
Peter V. Radatti
radatti@cyber.com
CyberSoft
July 01 1996
Notice: Copyright May 20, 1996 by Peter V. Radatti, All rights reserved.
Welcome back! Lets roll up the security section of this column for the remainder of the year with another free tool. The tool that I want to recommend to you is the AT&T Tiger Script. You may remember a few articles ago I wrote about Dan Farmer's COPS program. Lots of you took me up on the offer to email you copies of COPS so this time I am making Tiger Script available from my web page. If you do not have Web access then send me an email requesting Tiger Script and I will return it to you by email. Tiger Script is very much like COPS except that it is written as a collection of UNIX scripts and does not need to be compiled.
Tiger Script is a tool that looks for known system security problems. In effect, it provides a very useful system security audit. I often combine both Tiger Script and COPS when I am testing a system. Both packages locate a lot of the same problems but there are some differences and since it is really very easy to run both of them and you can never tell what someone attacking your system may use, its worth the extra effort.
One of the features of Tiger Script that I especially like is that it checks embedded pathnames. For example, on my system it warned me that "/etc/uucp/remote.unknown" contains a reference to "/etc/uucp" which is not owned by root. This could be a serious problem if a program executing as root was controlled by or executed the referenced file where the referenced file could be modified by an untrusted user. In this case, there is no problem but as you can see, this type of tool could easily help you locate back doors and Trojans.
A couple of the other features of Tiger Script is that it looks for "unusual file names" and "unusual device files". An "unusual" device or file name is a sure sign that your system may have been hacked and the intruder left some back doors for their later use.
Installation of Tiger Script is easy. Do the installation and run the package as the "root" user. If you don't have "root" you can still run it but it won't work as well. I packaged it as a tar file so the first step is to unpack it using the "tar xvf tiger-2.2.3.tar" command. This will create the subdirectory "tiger-2.2.3". Enter the subdirectory, "cd tiger-2.2.3". At this point I like to start the "script" command in order to record everything that occurs. Next, start the program by executing the command, "./tiger". It will configure itself and execute. The last line of output tells you the filename in which the report is located. On my system the report was placed in "./security.report.www.960604-21:10". I did a more of that file and the completed report was ready for my use. That is all there is too it. Access a copy soon and have fun.
Pete Radatti is the founder and CEO of CyberSoft, Inc. CyberSoft manufactures VFind the antivirus software product that executes under UNIX and simultaneously scans for UNIX, MS-DOS, Macintosh, Amiga, NT and Macro destructive software while providing cryptographic integrity to your file system. You can reach Pete at radatti@cyber.com, URL http:\\www.cyber.com or call 610/825-4748 (9:00 AM to 5:00 PM Eastern Time). These articles are dedicated to Chrissy.
