rpms/tiger/devel tiger-3.2.1-autotools.patch, NONE, 1.1 tiger-3.2.1-config.patch, NONE, 1.1 tiger-3.2.1-doc.patch, NONE, 1.1 tiger-3.2.1-fixes.patch, NONE, 1.1 tiger-3.2.1-gcc4.patch, NONE, 1.1 tiger-3.2.1-scripts.patch, NONE, 1.1 tiger-3.2.1.tar.gz.sig, NONE, 1.1 tiger.README, NONE, 1.1 tiger.cron, NONE, 1.1 tiger.ignore, NONE, 1.1 tiger.ignore.server, NONE, 1.1 tiger.spec, NONE, 1.1 .cvsignore, 1.1, 1.2 sources, 1.1, 1.2
Aurelien Bompard (abompard)
fedora-extras-commits at redhat.com
Sat May 13 21:38:59 UTC 2006
Author: abompard
Update of /cvs/extras/rpms/tiger/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv15359/devel
Modified Files:
.cvsignore sources
Added Files:
tiger-3.2.1-autotools.patch tiger-3.2.1-config.patch
tiger-3.2.1-doc.patch tiger-3.2.1-fixes.patch
tiger-3.2.1-gcc4.patch tiger-3.2.1-scripts.patch
tiger-3.2.1.tar.gz.sig tiger.README tiger.cron tiger.ignore
tiger.ignore.server tiger.spec
Log Message:
auto-import tiger-3.2.1-4 on branch devel from tiger-3.2.1-4.src.rpm
tiger-3.2.1-autotools.patch:
--- NEW FILE tiger-3.2.1-autotools.patch ---
--- tiger-3.2.1.orig/c/Makefile
+++ tiger-3.2.1/c/Makefile
@@ -1,3 +1,4 @@
+# Generated automatically from Makefile.in by configure.
# Makefile for tiger binaries
#
#
@@ -22,15 +23,17 @@
# been added later)
BINLIST=getpermit snefru md5 testsuid realpath
COPTS= -DNEEDGETWD
+INSTALL=/usr/bin/install -c
+CC=gcc
all: ${BINLIST}
install: all
- cp ${BINLIST} ../bin/
+ $(INSTALL) -m0755 ${BINLIST} ../bin/
% : %.c
- gcc ${COPTS} -o $@ $<
+ $(CC) $(CFLAGS) ${COPTS} -o $@ $<
clean:
-rm -f ${BINLIST}
--- tiger-3.2.1.orig/c/Makefile.in
+++ tiger-3.2.1/c/Makefile.in
@@ -0,0 +1,40 @@
+# Makefile for tiger binaries
+#
+#
+# Makefile for tiger binaries - A UN*X security checking system
+# Copyright (C) 2002 Javier Fernandez-Sanguino Pen~a <jfs at computer.org>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 1, or (at your option)
+# any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# Please see the file `COPYING' for the complete copyright notice.
+#
+
+# For some reason snefru and md5 were received wrongly
+# and they could not be compiled at first (they have
+# been added later)
+BINLIST=getpermit snefru md5 testsuid realpath
+COPTS= -DNEEDGETWD
+INSTALL=@INSTALL@
+CC=@CC@
+
+all: ${BINLIST}
+
+install: all
+ $(INSTALL) -m0755 ${BINLIST} ../bin/
+
+
+% : %.c
+ $(CC) $(CFLAGS) ${COPTS} -o $@ $<
+
+clean:
+ -rm -f ${BINLIST}
+
+distclean: clean
--- tiger-3.2.1.orig/configure
+++ tiger-3.2.1/configure
@@ -532,6 +532,312 @@
+# Extract the first word of "gcc", so it can be a program name with args.
+set dummy gcc; ac_word=$2
+echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+echo "configure:539: checking for $ac_word" >&5
+if eval "test \"`echo '$''{'ac_cv_prog_CC'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+else
+ if test -n "$CC"; then
+ ac_cv_prog_CC="$CC" # Let the user override the test.
+else
+ IFS="${IFS= }"; ac_save_ifs="$IFS"; IFS=":"
+ ac_dummy="$PATH"
+ for ac_dir in $ac_dummy; do
+ test -z "$ac_dir" && ac_dir=.
+ if test -f $ac_dir/$ac_word; then
+ ac_cv_prog_CC="gcc"
+ break
+ fi
+ done
+ IFS="$ac_save_ifs"
+fi
+fi
+CC="$ac_cv_prog_CC"
+if test -n "$CC"; then
+ echo "$ac_t""$CC" 1>&6
+else
+ echo "$ac_t""no" 1>&6
+fi
+
+if test -z "$CC"; then
+ # Extract the first word of "cc", so it can be a program name with args.
+set dummy cc; ac_word=$2
+echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+echo "configure:569: checking for $ac_word" >&5
+if eval "test \"`echo '$''{'ac_cv_prog_CC'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+else
+ if test -n "$CC"; then
+ ac_cv_prog_CC="$CC" # Let the user override the test.
+else
+ IFS="${IFS= }"; ac_save_ifs="$IFS"; IFS=":"
+ ac_prog_rejected=no
+ ac_dummy="$PATH"
+ for ac_dir in $ac_dummy; do
+ test -z "$ac_dir" && ac_dir=.
+ if test -f $ac_dir/$ac_word; then
+ if test "$ac_dir/$ac_word" = "/usr/ucb/cc"; then
+ ac_prog_rejected=yes
+ continue
+ fi
+ ac_cv_prog_CC="cc"
+ break
+ fi
+ done
+ IFS="$ac_save_ifs"
+if test $ac_prog_rejected = yes; then
+ # We found a bogon in the path, so make sure we never use it.
+ set dummy $ac_cv_prog_CC
+ shift
+ if test $# -gt 0; then
+ # We chose a different compiler from the bogus one.
+ # However, it has the same basename, so the bogon will be chosen
+ # first if we set CC to just the basename; use the full file name.
+ shift
+ set dummy "$ac_dir/$ac_word" "$@"
+ shift
+ ac_cv_prog_CC="$@"
+ fi
+fi
+fi
+fi
+CC="$ac_cv_prog_CC"
+if test -n "$CC"; then
+ echo "$ac_t""$CC" 1>&6
+else
+ echo "$ac_t""no" 1>&6
+fi
+
+ if test -z "$CC"; then
+ case "`uname -s`" in
+ *win32* | *WIN32*)
+ # Extract the first word of "cl", so it can be a program name with args.
+set dummy cl; ac_word=$2
+echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+echo "configure:620: checking for $ac_word" >&5
+if eval "test \"`echo '$''{'ac_cv_prog_CC'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+else
+ if test -n "$CC"; then
+ ac_cv_prog_CC="$CC" # Let the user override the test.
+else
+ IFS="${IFS= }"; ac_save_ifs="$IFS"; IFS=":"
+ ac_dummy="$PATH"
+ for ac_dir in $ac_dummy; do
+ test -z "$ac_dir" && ac_dir=.
+ if test -f $ac_dir/$ac_word; then
+ ac_cv_prog_CC="cl"
+ break
+ fi
+ done
+ IFS="$ac_save_ifs"
+fi
+fi
+CC="$ac_cv_prog_CC"
+if test -n "$CC"; then
+ echo "$ac_t""$CC" 1>&6
+else
+ echo "$ac_t""no" 1>&6
+fi
+ ;;
+ esac
+ fi
+ test -z "$CC" && { echo "configure: error: no acceptable cc found in \$PATH" 1>&2; exit 1; }
+fi
+
+echo $ac_n "checking whether the C compiler ($CC $CFLAGS $LDFLAGS) works""... $ac_c" 1>&6
+echo "configure:652: checking whether the C compiler ($CC $CFLAGS $LDFLAGS) works" >&5
+
+ac_ext=c
+# CFLAGS is not in ac_cpp because -g, -O, etc. are not valid cpp options.
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='${CC-cc} -c $CFLAGS $CPPFLAGS conftest.$ac_ext 1>&5'
+ac_link='${CC-cc} -o conftest${ac_exeext} $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS 1>&5'
+cross_compiling=$ac_cv_prog_cc_cross
+
+cat > conftest.$ac_ext << EOF
+
+#line 663 "configure"
+#include "confdefs.h"
+
+main(){return(0);}
+EOF
+if { (eval echo configure:668: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+ ac_cv_prog_cc_works=yes
+ # If we can't run a trivial program, we are probably using a cross compiler.
+ if (./conftest; exit) 2>/dev/null; then
+ ac_cv_prog_cc_cross=no
+ else
+ ac_cv_prog_cc_cross=yes
+ fi
+else
+ echo "configure: failed program was:" >&5
+ cat conftest.$ac_ext >&5
+ ac_cv_prog_cc_works=no
+fi
+rm -fr conftest*
+ac_ext=c
+# CFLAGS is not in ac_cpp because -g, -O, etc. are not valid cpp options.
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='${CC-cc} -c $CFLAGS $CPPFLAGS conftest.$ac_ext 1>&5'
+ac_link='${CC-cc} -o conftest${ac_exeext} $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS 1>&5'
+cross_compiling=$ac_cv_prog_cc_cross
+
+echo "$ac_t""$ac_cv_prog_cc_works" 1>&6
+if test $ac_cv_prog_cc_works = no; then
+ { echo "configure: error: installation or configuration problem: C compiler cannot create executables." 1>&2; exit 1; }
+fi
+echo $ac_n "checking whether the C compiler ($CC $CFLAGS $LDFLAGS) is a cross-compiler""... $ac_c" 1>&6
+echo "configure:694: checking whether the C compiler ($CC $CFLAGS $LDFLAGS) is a cross-compiler" >&5
+echo "$ac_t""$ac_cv_prog_cc_cross" 1>&6
+cross_compiling=$ac_cv_prog_cc_cross
+
+echo $ac_n "checking whether we are using GNU C""... $ac_c" 1>&6
+echo "configure:699: checking whether we are using GNU C" >&5
+if eval "test \"`echo '$''{'ac_cv_prog_gcc'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+else
+ cat > conftest.c <<EOF
+#ifdef __GNUC__
+ yes;
+#endif
+EOF
+if { ac_try='${CC-cc} -E conftest.c'; { (eval echo configure:708: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }; } | egrep yes >/dev/null 2>&1; then
+ ac_cv_prog_gcc=yes
+else
+ ac_cv_prog_gcc=no
+fi
+fi
+
+echo "$ac_t""$ac_cv_prog_gcc" 1>&6
+
+if test $ac_cv_prog_gcc = yes; then
+ GCC=yes
+else
+ GCC=
+fi
+
+ac_test_CFLAGS="${CFLAGS+set}"
+ac_save_CFLAGS="$CFLAGS"
+CFLAGS=
+echo $ac_n "checking whether ${CC-cc} accepts -g""... $ac_c" 1>&6
+echo "configure:727: checking whether ${CC-cc} accepts -g" >&5
+if eval "test \"`echo '$''{'ac_cv_prog_cc_g'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+else
+ echo 'void f(){}' > conftest.c
+if test -z "`${CC-cc} -g -c conftest.c 2>&1`"; then
+ ac_cv_prog_cc_g=yes
+else
+ ac_cv_prog_cc_g=no
+fi
+rm -f conftest*
+
+fi
+
+echo "$ac_t""$ac_cv_prog_cc_g" 1>&6
+if test "$ac_test_CFLAGS" = set; then
+ CFLAGS="$ac_save_CFLAGS"
+elif test $ac_cv_prog_cc_g = yes; then
+ if test "$GCC" = yes; then
+ CFLAGS="-g -O2"
+ else
+ CFLAGS="-g"
+ fi
+else
+ if test "$GCC" = yes; then
+ CFLAGS="-O2"
+ else
+ CFLAGS=
+ fi
+fi
+
+ac_aux_dir=
+for ac_dir in $srcdir $srcdir/.. $srcdir/../..; do
+ if test -f $ac_dir/install-sh; then
+ ac_aux_dir=$ac_dir
+ ac_install_sh="$ac_aux_dir/install-sh -c"
+ break
+ elif test -f $ac_dir/install.sh; then
+ ac_aux_dir=$ac_dir
+ ac_install_sh="$ac_aux_dir/install.sh -c"
+ break
+ fi
+done
+if test -z "$ac_aux_dir"; then
+ { echo "configure: error: can not find install-sh or install.sh in $srcdir $srcdir/.. $srcdir/../.." 1>&2; exit 1; }
+fi
+ac_config_guess=$ac_aux_dir/config.guess
+ac_config_sub=$ac_aux_dir/config.sub
+ac_configure=$ac_aux_dir/configure # This should be Cygnus configure.
+
+# Find a good install program. We prefer a C program (faster),
+# so one script is as good as another. But avoid the broken or
+# incompatible versions:
+# SysV /etc/install, /usr/sbin/install
+# SunOS /usr/etc/install
+# IRIX /sbin/install
+# AIX /bin/install
+# AIX 4 /usr/bin/installbsd, which doesn't work without a -g flag
+# AFS /usr/afsws/bin/install, which mishandles nonexistent args
+# SVR4 /usr/ucb/install, which tries to use the nonexistent group "staff"
+# ./install, which can be erroneously created by make from ./install.sh.
+echo $ac_n "checking for a BSD compatible install""... $ac_c" 1>&6
+echo "configure:789: checking for a BSD compatible install" >&5
+if test -z "$INSTALL"; then
+if eval "test \"`echo '$''{'ac_cv_path_install'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+else
+ IFS="${IFS= }"; ac_save_IFS="$IFS"; IFS=":"
+ for ac_dir in $PATH; do
+ # Account for people who put trailing slashes in PATH elements.
+ case "$ac_dir/" in
+ /|./|.//|/etc/*|/usr/sbin/*|/usr/etc/*|/sbin/*|/usr/afsws/bin/*|/usr/ucb/*) ;;
+ *)
+ # OSF1 and SCO ODT 3.0 have their own names for install.
+ # Don't use installbsd from OSF since it installs stuff as root
+ # by default.
+ for ac_prog in ginstall scoinst install; do
+ if test -f $ac_dir/$ac_prog; then
+ if test $ac_prog = install &&
+ grep dspmsg $ac_dir/$ac_prog >/dev/null 2>&1; then
+ # AIX install. It has an incompatible calling convention.
+ :
+ else
+ ac_cv_path_install="$ac_dir/$ac_prog -c"
+ break 2
+ fi
+ fi
+ done
+ ;;
+ esac
+ done
+ IFS="$ac_save_IFS"
+
+fi
+ if test "${ac_cv_path_install+set}" = set; then
+ INSTALL="$ac_cv_path_install"
+ else
+ # As a last resort, use the slow shell script. We don't cache a
+ # path for INSTALL within a source directory, because that will
+ # break other packages using the cache if that directory is
+ # removed, or if the path is relative.
+ INSTALL="$ac_install_sh"
+ fi
+fi
+echo "$ac_t""$INSTALL" 1>&6
+
+# Use test -z because SunOS4 sh mishandles braces in ${var-val}.
+# It thinks the first close brace ends the variable substitution.
+test -z "$INSTALL_PROGRAM" && INSTALL_PROGRAM='${INSTALL}'
+
+test -z "$INSTALL_SCRIPT" && INSTALL_SCRIPT='${INSTALL_PROGRAM}'
+
+test -z "$INSTALL_DATA" && INSTALL_DATA='${INSTALL} -m 644'
+
+
test "x$prefix" != "xNONE" || prefix=/usr/local
# Check whether --with-tigerhome or --without-tigerhome was given.
@@ -608,6 +914,7 @@
+
trap '' 1 2 15
cat > confcache <<\EOF
# This file is a shell script that caches the results of configure
@@ -719,8 +1026,10 @@
done
ac_given_srcdir=$srcdir
+ac_given_INSTALL="$INSTALL"
trap 'rm -fr `echo "Makefile
+ c/Makefile
man/tiger.8
man/tigercron.8" | sed "s/:[^ ]*//g"` conftest*; exit 1' 1 2 15
EOF
@@ -754,6 +1063,11 @@
s%@oldincludedir@%$oldincludedir%g
s%@infodir@%$infodir%g
s%@mandir@%$mandir%g
+s%@CC@%$CC%g
+s%@INSTALL_PROGRAM@%$INSTALL_PROGRAM%g
+s%@INSTALL_SCRIPT@%$INSTALL_SCRIPT%g
+s%@INSTALL_DATA@%$INSTALL_DATA%g
+s%@install@%$install%g
s%@tigerhome@%$tigerhome%g
s%@tigerwork@%$tigerwork%g
s%@tigerlog@%$tigerlog%g
@@ -805,6 +1119,7 @@
cat >> $CONFIG_STATUS <<EOF
CONFIG_FILES=\${CONFIG_FILES-"Makefile
+ c/Makefile
man/tiger.8
man/tigercron.8"}
EOF
@@ -841,6 +1156,10 @@
top_srcdir="$ac_dots$ac_given_srcdir" ;;
esac
+ case "$ac_given_INSTALL" in
+ [/$]*) INSTALL="$ac_given_INSTALL" ;;
+ *) INSTALL="$ac_dots$ac_given_INSTALL" ;;
+ esac
echo creating "$ac_file"
rm -f "$ac_file"
@@ -856,6 +1175,7 @@
s%@configure_input@%$configure_input%g
s%@srcdir@%$srcdir%g
s%@top_srcdir@%$top_srcdir%g
+s%@INSTALL@%$INSTALL%g
" $ac_file_inputs | (eval "$ac_sed_cmds") > $ac_file
fi; done
rm -f conftest.s*
--- tiger-3.2.1.orig/configure.in
+++ tiger-3.2.1/configure.in
@@ -4,6 +4,9 @@
dnl for to make sure it's in the right directory.
AC_INIT(tiger)
+AC_PROG_CC
+AC_PROG_INSTALL
+
test "x$prefix" != "xNONE" || prefix=/usr/local
AC_ARG_WITH(tigerhome, [ --with-tigerhome=LOCATION Location of all Tiger files],
@@ -42,6 +45,7 @@
tigerlogdir=`eval echo $tigerlog`
tigerconfigdir=`eval echo $tigerconfig`
tigerhomedir=`eval echo $tigerhome`
+AC_SUBST(install)
AC_SUBST(tigerhome)
AC_SUBST(tigerwork)
AC_SUBST(tigerlog)
@@ -52,5 +56,6 @@
AC_SUBST(tigerconfigdir)
AC_SUBST(tigerhomedir)
AC_OUTPUT(Makefile
+ c/Makefile
man/tiger.8
man/tigercron.8)
--- tiger-3.2.1.orig/Makefile.in
+++ tiger-3.2.1/Makefile.in
@@ -21,6 +21,9 @@
mandir=@mandir@
# To avoid troubles with some systems..
SHELL = /bin/sh
+# Installation program
+INSTALL=@INSTALL@
+CC=@CC@
# This directory will contain the 'tiger', 'tigercron', 'tigexp'
# scripts, config files, the 'scripts' subdirectory which will
@@ -54,6 +57,10 @@
#
TIGERCONFIG=@tigerconfig@
#
+# Where do manpages go to
+#
+TIGERMANDIR=@mandir@
+#
#------------------------------------------------------------------------
#
# End of user customization...
@@ -61,7 +68,7 @@
#------------------------------------------------------------------------
#
-PLATFORM_SCRIPTS=$(shell find ./systems/ -type f)
+PLATFORM_SCRIPTS=$$(find ./systems/ -type f)
BINARIES=./tiger \
./tigexp \
@@ -89,6 +96,8 @@
./scripts/check_netrc \
./scripts/check_network \
./scripts/check_nisplus \
+ ./scripts/check_ntp \
+ ./scripts/check_omniback \
./scripts/check_passwd \
./scripts/check_passwdformat \
./scripts/check_path \
@@ -116,11 +125,13 @@
$(PLATFORM_SCRIPTS)
CONFIGFILES=./tigerrc \
- ./cronrc \
+ ./cronrc
MISCFILES=./initdefs \
- ./check.tbl \
./syslist \
+ ./check.d/README \
+ ./util/buildbins \
+ ./util/buildconf \
./util/difflogs \
./util/flogit \
./util/genmsgidx \
@@ -130,19 +141,29 @@
./util/getfs-std \
./util/gethostinfo \
./util/getnetgroup \
+ ./util/getpermit \
+ ./util/installsig \
./util/logit \
+ ./util/mkfilelst \
+ ./util/mksig \
./util/setsh \
./util/sgrep
MISCDIRS=./bin \
+ ./check.d \
./doc \
./html \
- ./man \
./scripts/sub \
./systems
all:
+ @if [ ! -d bin ]; then \
+ mkdir bin; \
+ fi
cd c && $(MAKE) install
+ @if [ ! -d html ]; then \
+ mkdir html; \
+ fi
cd util && sh doc2html
./util/genmsgidx
@@ -182,6 +203,19 @@
mkdir -p $(DESTDIR)$(TIGERCONFIG); \
chmod 700 $(DESTDIR)$(TIGERCONFIG); \
fi
+ @echo "Creating $(TIGERMANDIR)..."
+ @if [ ! -d $(DESTDIR)$(TIGERMANDIR) ]; then \
+ mkdir -p $(DESTDIR)$(TIGERMANDIR); \
+ mkdir -p $(DESTDIR)$(TIGERMANDIR)/man8; \
+ chmod 755 $(DESTDIR)$(TIGERMANDIR); \
+ chmod 755 $(DESTDIR)$(TIGERMANDIR)/man8; \
+ fi
+
+installmanpages:
+ @echo "Copying manpages..."
+ $(INSTALL) -m 0444 man/tiger.8 $(DESTDIR)$(TIGERMANDIR)/man8
+ $(INSTALL) -m 0444 man/tigexp.8 $(DESTDIR)$(TIGERMANDIR)/man8
+ $(INSTALL) -m 0444 man/tigercron.8 $(DESTDIR)$(TIGERMANDIR)/man8
installbinaries:
@echo "Copying binaries..."
@@ -198,8 +232,7 @@
installconfig:
@echo "Copying configuration files..."
@for file in $(CONFIGFILES); do \
- cp $$file $(DESTDIR)$(TIGERCONFIG)/$$file; \
- chmod 640 $(DESTDIR)$(TIGERCONFIG)/$$file; \
+ $(INSTALL) -m 0640 $$file $(DESTDIR)$(TIGERCONFIG)/$$file; \
done
@echo "Copying general configuration..."
@sed -e 's%^TigerLogDir=.*$$%TigerLogDir="'$(TIGERLOGS)'"%' \
@@ -210,13 +243,13 @@
./config >$(DESTDIR)$(TIGERHOME)/config
@chmod 644 $(DESTDIR)$(TIGERHOME)/config
-install: installdirs installbinaries installconfig
+install: installdirs installbinaries installconfig installmanpages
cd c && $(MAKE) install
- @echo "Copying miscellaneus dirs..."
+ @echo "Copying miscellaneous dirs..."
@for dir in $(MISCDIRS); do \
tar cf - $$dir | (cd $(DESTDIR)$(TIGERHOME); tar xpf -); \
done
- @echo "Copying miscellaneus files..."
+ @echo "Copying miscellaneous files..."
@for file in $(MISCFILES); do \
cp -p $$file $(DESTDIR)$(TIGERHOME)/$$file; \
done
--- tiger-3.2.1.orig/install.sh
+++ tiger-3.2.1/install.sh
@@ -0,0 +1,312 @@
+##
+## install -- Install a program, script or datafile
+## Copyright (c) 1997-2004 Ralf S. Engelschall <rse at engelschall.com>
+##
+## This file is part of shtool and free software; you can redistribute
+## it and/or modify it under the terms of the GNU General Public
+## License as published by the Free Software Foundation; either version
+## 2 of the License, or (at your option) any later version.
+##
+## This file is distributed in the hope that it will be useful,
+## but WITHOUT ANY WARRANTY; without even the implied warranty of
+## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+## General Public License for more details.
+##
+## You should have received a copy of the GNU General Public License
+## along with this program; if not, write to the Free Software
+## Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
+## USA, or contact Ralf S. Engelschall <rse at engelschall.com>.
+##
+
+str_tool="install"
+str_usage="[-v|--verbose] [-t|--trace] [-d|--mkdir] [-c|--copy] [-C|--compare-copy] [-s|--strip] [-m|--mode <mode>] [-o|--owner <owner>] [-g|--group <group>] [-e|--exec <sed-cmd>] <file> [<file> ...] <path>"
+arg_spec="1+"
+opt_spec="v.t.d.c.C.s.m:o:g:e+"
+opt_alias="v:verbose,t:trace,d:mkdir,c:copy,C:compare-copy,s:strip,m:mode,o:owner,g:group,e:exec"
+opt_v=no
+opt_t=no
+opt_d=no
+opt_c=no
+opt_C=no
+opt_s=no
+opt_m="0755"
+opt_o=""
+opt_g=""
+opt_e=""
+
+. ./sh.common
+
+# special case: "shtool install -d <dir> [...]" internally
+# maps to "shtool mkdir -f -p -m 755 <dir> [...]"
+if [ "$opt_d" = yes ]; then
+ cmd="$0 mkdir -f -p -m 755"
+ if [ ".$opt_o" != . ]; then
+ cmd="$cmd -o '$opt_o'"
+ fi
+ if [ ".$opt_g" != . ]; then
+ cmd="$cmd -g '$opt_g'"
+ fi
+ if [ ".$opt_v" = .yes ]; then
+ cmd="$cmd -v"
+ fi
+ if [ ".$opt_t" = .yes ]; then
+ cmd="$cmd -t"
+ fi
+ for dir in "$@"; do
+ eval "$cmd $dir" || shtool_exit $?
+ done
+ shtool_exit 0
+fi
+
+# determine source(s) and destination
+argc=$#
+srcs=""
+while [ $# -gt 1 ]; do
+ srcs="$srcs $1"
+ shift
+done
+dstpath="$1"
+
+# type check for destination
+dstisdir=0
+if [ -d $dstpath ]; then
+ dstpath=`echo "$dstpath" | sed -e 's:/$::'`
+ dstisdir=1
+fi
+
+# consistency check for destination
+if [ $argc -gt 2 ] && [ $dstisdir = 0 ]; then
+ echo "$msgprefix:Error: multiple sources require destination to be directory" 1>&2
+ shtool_exit 1
+fi
+
+# iterate over all source(s)
+for src in $srcs; do
+ dst=$dstpath
+
+ # if destination is a directory, append the input filename
+ if [ $dstisdir = 1 ]; then
+ dstfile=`echo "$src" | sed -e 's;.*/\([^/]*\)$;\1;'`
+ dst="$dst/$dstfile"
+ fi
+
+ # check for correct arguments
+ if [ ".$src" = ".$dst" ]; then
+ echo "$msgprefix:Warning: source and destination are the same - skipped" 1>&2
+ continue
+ fi
+ if [ -d "$src" ]; then
+ echo "$msgprefix:Warning: source \`$src' is a directory - skipped" 1>&2
+ continue
+ fi
+
+ # make a temp file name in the destination directory
+ dsttmp=`echo $dst |\
+ sed -e 's;[^/]*$;;' -e 's;\(.\)/$;\1;' -e 's;^$;.;' \
+ -e "s;\$;/#INST@$$#;"`
+
+ # verbosity
+ if [ ".$opt_v" = .yes ]; then
+ echo "$src -> $dst" 1>&2
+ fi
+
+ # copy or move the file name to the temp name
+ # (because we might be not allowed to change the source)
+ if [ ".$opt_C" = .yes ]; then
+ opt_c=yes
+ fi
+ if [ ".$opt_c" = .yes ]; then
+ if [ ".$opt_t" = .yes ]; then
+ echo "cp $src $dsttmp" 1>&2
+ fi
+ cp $src $dsttmp || shtool_exit $?
+ else
+ if [ ".$opt_t" = .yes ]; then
+ echo "mv $src $dsttmp" 1>&2
+ fi
+ mv $src $dsttmp || shtool_exit $?
+ fi
+
+ # adjust the target file
+ if [ ".$opt_e" != . ]; then
+ sed='sed'
+ OIFS="$IFS"; IFS="$ASC_NL"; set -- $opt_e; IFS="$OIFS"
+ for e
+ do
+ sed="$sed -e '$e'"
+ done
+ cp $dsttmp $dsttmp.old
+ chmod u+w $dsttmp
+ eval "$sed <$dsttmp.old >$dsttmp" || shtool_exit $?
+ rm -f $dsttmp.old
+ fi
+ if [ ".$opt_s" = .yes ]; then
+ if [ ".$opt_t" = .yes ]; then
+ echo "strip $dsttmp" 1>&2
+ fi
+ strip $dsttmp || shtool_exit $?
+ fi
+ if [ ".$opt_o" != . ]; then
+ if [ ".$opt_t" = .yes ]; then
+ echo "chown $opt_o $dsttmp" 1>&2
+ fi
+ chown $opt_o $dsttmp || shtool_exit $?
+ fi
+ if [ ".$opt_g" != . ]; then
+ if [ ".$opt_t" = .yes ]; then
+ echo "chgrp $opt_g $dsttmp" 1>&2
+ fi
+ chgrp $opt_g $dsttmp || shtool_exit $?
+ fi
+ if [ ".$opt_m" != ".-" ]; then
+ if [ ".$opt_t" = .yes ]; then
+ echo "chmod $opt_m $dsttmp" 1>&2
+ fi
+ chmod $opt_m $dsttmp || shtool_exit $?
+ fi
+
+ # determine whether to do a quick install
+ # (has to be done _after_ the strip was already done)
+ quick=no
+ if [ ".$opt_C" = .yes ]; then
+ if [ -r $dst ]; then
+ if cmp -s $src $dst; then
+ quick=yes
+ fi
+ fi
+ fi
+
+ # finally, install the file to the real destination
+ if [ $quick = yes ]; then
+ if [ ".$opt_t" = .yes ]; then
+ echo "rm -f $dsttmp" 1>&2
+ fi
+ rm -f $dsttmp
+ else
+ if [ ".$opt_t" = .yes ]; then
+ echo "rm -f $dst && mv $dsttmp $dst" 1>&2
+ fi
+ rm -f $dst && mv $dsttmp $dst
+ fi
+done
+
+shtool_exit 0
+
+##
+## manual page
+##
+
+=pod
+
+=head1 NAME
+
+B<shtool install> - B<GNU shtool> install(1) command
+
+=head1 SYNOPSIS
+
+B<shtool install>
+[B<-v>|B<--verbose>]
+[B<-t>|B<--trace>]
+[B<-d>|B<--mkdir>]
+[B<-c>|B<--copy>]
+[B<-C>|B<--compare-copy>]
+[B<-s>|B<--strip>]
+[B<-m>|B<--mode> I<mode>]
+[B<-o>|B<--owner> I<owner>]
+[B<-g>|B<--group> I<group>]
+[B<-e>|B<--exec> I<sed-cmd>]
+I<file> [I<file> ...]
+I<path>
+
+=head1 DESCRIPTION
+
+This command installs a one or more I<file>s to a given target I<path>
+providing all important options of the BSD install(1) command.
+The trick is that the functionality is provided in a portable way.
+
+=head1 OPTIONS
+
+The following command line options are available.
+
+=over 4
+
+=item B<-v>, B<--verbose>
+
+Display some processing information.
+
+=item B<-t>, B<--trace>
+
+Enable the output of the essential shell commands which are executed.
+
+=item B<-d>, B<--mkdir>
+
+To maximize BSD compatiblity, the BSD "B<shtool> C<install -d>" usage is
+internally mapped to the "B<shtool> C<mkdir -f -p -m 755>" command.
+
+=item B<-c>, B<--copy>
+
+Copy the I<file> to the target I<path>. Default is to move.
+
+=item B<-C>, B<--compare-copy>
+
+Same as B<-c> except if the destination file already exists and is
+identical to the source file, no installation is done and the target
+remains untouched.
+
+=item B<-s>, B<--strip>
+
+This option strips program executables during the installation, see
+strip(1). Default is to install verbatim.
+
+=item B<-m>, B<--mode> I<mode>
+
+The file mode applied to the target, see chmod(1). Setting mode to
+"C<->" skips this step and leaves the operating system default which is
+usually based on umask(1). Some file modes require superuser privileges
+to be set. Default is 0755.
+
+=item B<-o>, B<--owner> I<owner>
+
+The file owner name or id applied to the target, see chown(1). This
+option requires superuser privileges to execute. Default is to skip this
+step and leave the operating system default which is usually based on
+the executing uid or the parent setuid directory.
+
+=item B<-g>, B<--group> I<group>
+
+The file group name or id applied to the target, see chgrp(1). This
+option requires superuser privileges to execute to the fullest extend,
+otherwise the choice of I<group> is limited on most operating systems.
+Default is to skip this step and leave the operating system default
+which is usually based on the executing gid or the parent setgid
+directory.
+
+=item B<-e>, B<--exec> I<sed-cmd>
+
+This option can be used one or multiple times to apply one or more
+sed(1) commands to the file contents during installation.
+
+=back
+
+=head1 EXAMPLE
+
+ # Makefile
+ install:
+ :
+ shtool install -c -s -m 4755 foo $(bindir)/
+ shtool install -c -m 644 foo.man $(mandir)/man1/foo.1
+ shtool install -c -m 644 -e "s/@p@/$prefix/g" foo.conf $(etcdir)/
+
+=head1 HISTORY
+
+The B<GNU shtool> B<install> command was originally written by Ralf S.
+Engelschall E<lt>rse at engelschall.comE<gt> in 1997 for B<GNU shtool>. It
+was prompted by portability issues in the installation procedures of
+B<OSSP> libraries.
+
+=head1 SEE ALSO
+
+shtool(1), umask(1), chmod(1), chown(1), chgrp(1), strip(1), sed(1).
+
+=cut
+
tiger-3.2.1-config.patch:
--- NEW FILE tiger-3.2.1-config.patch ---
--- ./site-sample.config 2003-09-03 14:09:14.000000000 +0200
+++ ./site-sample 2005-08-07 17:12:40.000000000 +0200
@@ -86,4 +86,4 @@
#
# Define where Integrit is installed (if you use it)
#
-#INTEGRIT=/usr/local/bin/aide
+#INTEGRIT=/usr/local/bin/integrit
--- ./tigerrc-TAMU.config 2002-06-14 10:51:31.000000000 +0200
+++ ./tigerrc-TAMU 2005-08-07 17:12:40.000000000 +0200
@@ -15,6 +15,7 @@
# you don't want performed.
#
Tiger_Check_PASSWD=Y # Fast
+Tiger_Check_PASSWD_FORMAT=N # Fast - not needed if on systems with pwck
Tiger_Check_GROUP=Y # Fast
Tiger_Check_ACCOUNTS=Y # Time varies on # of users
Tiger_Check_RHOSTS=Y # Time varies on # of users
@@ -141,6 +142,11 @@
#
Tiger_Crack_Local=N
#
+# Who sends output from 'tigercron'?
+# Default is "root@$HOSTNAME" (gets expanded by tigercron)
+#
+# Tiger_Mail_FROM="root@`uname -n`"
+#
# Who gets output from 'tigercron'?
#
Tiger_Mail_RCPT=root
--- ./cronrc.config 2003-09-19 16:24:41.000000000 +0200
+++ ./cronrc 2005-08-07 17:12:40.000000000 +0200
@@ -28,7 +28,16 @@
# ----------------------------------------------------------------------
# Check for known intrusion signs every 8 hours
#
-0,8,16 * * check_known check_rootkit check_finddeleted check_logfiles check_runprocs check_rootdir check_root
+0,8,16 * * check_known check_rootkit check_logfiles check_runprocs check_rootdir check_root
+# [experimental]
+# Check_finddeleted is very verbose and needs to be adjusted so we run
+# it less often, admins that want to run it more often are suggested
+# to look up how does the ignore mechanism works. In busy servers many
+# false positives might appear because of normal user access.
+# Some applications might generate false positives too due to the
+# way they behave. Also, this script requires LSOF, so only enable
+# it if you have it installed.
+#1 * * check_finddeleted
# ----------------------------------------------------------------------
# Make system-specific checks every day at 1 am
# Notice: System specific checks can be enabled in the
@@ -68,7 +77,7 @@
# ----------------------------------------------------------------------
# Check for system configuration once a month
#
-1 2 * check_services check_signatures check_umask check_ftpusers check_embedded check_exrc
+1 2 * check_services check_umask check_ftpusers check_embedded check_exrc
#
# ----------------------------------------------------------------------
# Run a password cracker against the local passwords once a month
--- ./tigerrc-dist.config 2003-05-05 15:14:34.000000000 +0200
+++ ./tigerrc-dist 2005-08-07 17:12:40.000000000 +0200
@@ -9,6 +9,7 @@
#
TigerNoBuild=Y # C files are corrupted (ouch.)
Tiger_Check_PASSWD=Y # Fast
+Tiger_Check_PASSWD_FORMAT=N # Fast - not needed if on systems with pwck
Tiger_Check_PASSWD_SHADOW=Y # Time varies on # of users
Tiger_Check_PASSWD_NIS=N # Time varies on # of users
Tiger_Check_GROUP=Y # Fast
@@ -209,6 +210,11 @@
#
Tiger_Crack_Local=Y
#
+# Who sends output from 'tigercron'?
+# Default is "root@$HOSTNAME" (gets expanded by tigercron)
+#
+# Tiger_Mail_FROM="root@`uname -n`"
+#
# Who gets output from 'tigercron'?
#
Tiger_Mail_RCPT=root
--- ./check.tbl.config 2002-06-14 10:51:31.000000000 +0200
+++ ./check.tbl 2005-08-07 17:12:40.000000000 +0200
@@ -22,4 +22,4 @@
# Add other checks that should be attempted for all systems
# here. One script name per line.
#
-check_sendmail
+#check_sendmail
--- ./tigerrc.config 2003-10-07 00:18:12.000000000 +0200
+++ ./tigerrc 2005-08-07 17:13:26.000000000 +0200
@@ -7,8 +7,16 @@
# Select checks to perform. Specify 'N' (uppercase) for checks
# you don't want performed.
#
+# Notice this does not affect which checks will be performed through
+# the cron job (Tiger's cronrc file governs that, usually under
+# /usr/local/etc/tiger or /etc/tiger), it only affects which
+# checks will be performed when running the full security checks
+# (i.e. 'tiger')
+#
+#
TigerNoBuild=Y # C files are corrupted (ouch.)
Tiger_Check_PASSWD=Y # Fast
+Tiger_Check_PASSWD_FORMAT=N # Fast - not needed if on systems with pwck
Tiger_Check_PASSWD_SHADOW=Y # Time varies on # of users
Tiger_Check_PASSWD_NIS=N # Time varies on # of users
Tiger_Check_GROUP=Y # Fast
@@ -19,11 +27,11 @@
Tiger_Check_CRON=Y # Fast
Tiger_Check_ANONFTP=Y # Fast
Tiger_Check_EXPORTS=Y # Fast
-Tiger_Check_INETD=Y # Fast
+Tiger_Check_INETD=Y # Fast for inetd, Varies on xinetd
Tiger_Check_SERVICES=Y # Could be faster, not bad though
Tiger_Check_KNOWN=Y # Fast
Tiger_Check_PERMS=Y # Could be faster, not bad though
-Tiger_Check_SIGNATURES=Y # Several minutes
+Tiger_Check_SIGNATURES=N # Several minutes
Tiger_Check_FILESYSTEM=Y # Time varies on disk space... can be hours
Tiger_Check_ROOTDIR=Y # Fast, only 2 checks
Tiger_Check_ROOT_ACCESS=Y # Fast
@@ -37,7 +45,7 @@
Tiger_Check_LISTENING=Y # Fast
Tiger_Check_SYSTEM=Y # Depends on the specific system checks
Tiger_Check_RUNPROC=N # Fast, needs to be customized per system
-Tiger_Check_DELETED=Y # Depends on the number of processes on the
+Tiger_Check_DELETED=N # Depends on the number of processes on the
# system
Tiger_Check_APACHE=N # Fast
Tiger_Check_SSH=Y # Fast
@@ -46,6 +54,9 @@
Tiger_Check_EXRC=N # Depends on the size of the filesystem
Tiger_Check_ROOTKIT=Y # Slow if chkrootkit is available
Tiger_Check_FTPUSERS=Y # Fast
+Tiger_Check_OMNIBACK=N # Fast
+Tiger_Check_NTP=Y # Fast
+
# OS specific checks
# You can comment them if they are not appropiate to your system but
# they will not run if you are running a different OS
@@ -181,7 +192,7 @@
# What accounts are considered administrative (beyond root)
# (likely to not be used by humans, and therefore have impossible passwords)
# List of usernames separated by '|'... no whitespaces
-Tiger_Admin_Accounts='adm|bin|daemon|games|lp|mail|news|operator|sync|sys|uucp|man|proxy|majordom|postgres|www-data|operator|irc|gnats'
+Tiger_Admin_Accounts='bin|daemon|adm|lp|sync|shutdown|halt|mail|news|uucp|operator|games|gopher|ftp|nobody|dbus|vcsa|nscd|rpm|haldaemon|netdump|sshd|rpc|rpcuser|nfsnobody|mailnull|smmsp|pcap|apache|xfs|ntp|gdm|postfix|cacti|mach|mysql|named|clamav|zope|openvpn|dovecot'
#
# If an embedded pathname refers to an executable file, this executable
# will in turn be checked. This will continue "recursively" until
@@ -219,7 +230,7 @@
# Who do you allow to own system files.
# List of usernames separated by '|'... no whitespace
#
-Tiger_Embedded_OK_Owners='root|bin|uucp|sys|daemon'
+Tiger_Embedded_OK_Owners='root|bin|uucp|sys|daemon|rpm'
#Tiger_Embedded_OK_Owners=root
#
# What groups can have write access to system files?
@@ -238,7 +249,7 @@
# Who can own executables in 'root's PATH?
# List of usernames separated by '|'... no whitespace
#
-Tiger_ROOT_PATH_OK_Owners='root|uucp|bin|news|sys|daemon'
+Tiger_ROOT_PATH_OK_Owners='root|uucp|bin|news|sys|daemon|rpm'
# If you are paranoid:
#Tiger_ROOT_PATH_OK_Owners='root'
# If you are running HP-UX
@@ -253,13 +264,13 @@
# Who can own things in other users PATH?
# List of usernames separated by '|'... no whitespace
#
-Tiger_PATH_OK_Owners='root|bin|daemon|uucp|sys|adm'
+Tiger_PATH_OK_Owners=$Tiger_ROOT_PATH_OK_Owners
#
# What groups can have write access to executables in non-root user PATH?
# List of group names separated by '|'... no whitespace.
# No value means no groups should have write access.
#
-Tiger_PATH_OK_Group_Write=
+eval Tiger_PATH_OK_Group_Write='$Tiger_ROOT_PATH_OK_Group_Write'
#
# Should 'tiger' wait for Crack to finish? If set to 'Y' it will wait
# until it finishes. If set to 'N', it will collect the output if
@@ -274,6 +285,11 @@
#
Tiger_Crack_Local=Y
#
+# Who sends output from 'tigercron'?
+# Default is "root@$HOSTNAME" (gets expanded by tigercron)
+#
+# Tiger_Mail_FROM="root@`uname -n`"
+#
# Who gets output from 'tigercron'?
#
Tiger_Mail_RCPT=root
@@ -285,12 +301,12 @@
#
# File system scan - things to look for
#
-Tiger_FSScan_Setuid=Y # Setuid executables
-Tiger_FSScan_Setgid=Y # Setgid executables
+Tiger_FSScan_Setuid=N # Setuid executables
+Tiger_FSScan_Setgid=N # Setgid executables
Tiger_FSScan_Devs=Y # device files
Tiger_FSScan_SymLinks=Y # strange symbolic links
Tiger_FSScan_ofNote=Y # weird filenames
-Tiger_FSScan_WDIR=Y # world writable directories
+Tiger_FSScan_WDIR=N # world writable directories
Tiger_FSScan_Unowned=Y # files with undefined owners/groups
#
# Should we scan read-only filesystems
@@ -303,7 +319,7 @@
# Note that .rhosts and .netrc need not appear here, as they will
# be checked by scan_rhosts or scan_netrc.
#
-USERDOTFILES=".alias .kshrc .cshrc .profile .login .mailrc .exrc .emacs .forward .tcshrc .zshenv .zshrc .zlogin .zprofile .rcrc .bashrc .bash_profile .inputrc .xinitrc .fvwm2rc .Xsession .Xclients .less"
+USERDOTFILES=".alias .kshrc .cshrc .profile .login .mailrc .exrc .emacs .forward .tcshrc .zshenv .zshrc .zlogin .zprofile .rcrc .bashrc .bash_profile .bash_logout .inputrc .xinitrc .fvwm2rc .Xsession .Xclients .less .kde"
#
# Rhost sites which are expected to be in the .rhosts files.
# Anything that doesn't match will be reported. The patterns
@@ -316,7 +332,8 @@
# Debian GNU/Linux: default is 999, users are generated over 1000
# Solaris: default should be 99, users are generated over 100
# HP-UX (?): default should be 499, users are generated over 500
-Tiger_Accounts_Trust=999
+# Fedora : default should be 499, users are generated over 500
+Tiger_Accounts_Trust=499
#
# These SSH directive variables are used to specify "allowed" values
# for the SSH Daemon.
@@ -324,7 +341,7 @@
# be left blank to ignore the check.
Tiger_SSH_Protocol='1|2'
Tiger_SSH_RhostsAuthentication='no'
-Tiger_SSH_PasswordAuthentication='no'
+Tiger_SSH_PasswordAuthentication='yes|no'
#
# Should we give warnings on services that listen on all interfaces?
# (i.e. those that have not been configured to listen only on one)
@@ -353,10 +370,16 @@
# seen in the process table will generate a FAIL:
#
# The process list below is just an example (useful for Linux)
-# change it to suit your needs
-# Tiger_Running_Procs='syslogd cron atd klogd'
+# change it to suit your needs. You can use either the process name
+# or the full path name
+Tiger_Running_Procs='syslogd crond atd klogd'
+# or
+# Tiger_Running_Procs='/sbin/syslogd /usr/sbin/atd /usr/sbin/crond /sbin/klogd'
#
# Should we optimize DPKG checks? (by not using dpkg but looking on
# the file database at /var/lib/dpkg?)
#
Tiger_DPKG_Optimize=Y
+
+# Devices are not only in /dev when udev is enabled :
+FS_DEVDIRS="/dev /etc/udev/devices"
--- ./tigerrc-all.config 2003-10-07 00:02:56.000000000 +0200
+++ ./tigerrc-all 2005-08-07 17:12:40.000000000 +0200
@@ -9,6 +9,7 @@
#
TigerNoBuild=Y # C files are corrupted (ouch.)
Tiger_Check_PASSWD=Y # Fast
+Tiger_Check_PASSWD_FORMAT=N # Fast - not needed if on systems with pwck
Tiger_Check_PASSWD_SHADOW=Y # Time varies on # of users
Tiger_Check_PASSWD_NIS=N # Time varies on # of users
Tiger_Check_GROUP=Y # Fast
@@ -274,6 +275,11 @@
#
Tiger_Crack_Local=Y
#
+# Who sends output from 'tigercron'?
+# Default is "root@$HOSTNAME" (gets expanded by tigercron)
+#
+# Tiger_Mail_FROM="root@`uname -n`"
+#
# Who gets output from 'tigercron'?
#
Tiger_Mail_RCPT=root
tiger-3.2.1-doc.patch:
--- NEW FILE tiger-3.2.1-doc.patch ---
--- tiger-3.2.1.orig/CHANGES
+++ tiger-3.2.1/CHANGES
@@ -1,6 +1,15 @@
NOTE: To read changes made to the Debian package (since
August 23rd 2001) see the changelog.Debian file
+Changes (v 3.2.2)
+(Unreleased)
+----------------
+- Applied patches from Ryan Bradetich to fix Makefiles in HPUX
+- Fixed bashisms in scripts
+- Fixed YPCAT calls
+[TODO: write more of the changes done here]
+
+
Changes (v 3.2.1)
----------------
- New checks:
--- tiger-3.2.1.orig/TODO.checks
+++ tiger-3.2.1/TODO.checks
@@ -0,0 +1,181 @@
+This TODO details things that need to be done to improve the current
+security checks implemented in Tiger.
+
+
+IMPROVEMENTS
+------------
+- Modify the rhosts check so that it will check for shosts files too
+ (or create a new check_shosts file)
+
+- Modify check_network to include hosts.lpd in the tests
+
+- Add .bash_profile into check_path
+
+- Add more information to the messages outputed for inetd services which
+ might expose password information (Unix CERT configuration list item #2.4)
+
+- check_rootkit should also consider analysing modification times of
+ important system files (binaries as well as logfiles).
+ Mtime, atime and ctime should not be in the future and mtime/ctime
+ of binaries should be similar to the time the system was installed
+ (unless it has been patched). Similarly, logfiles should not have
+ similar (almost equal) ctimes. This needs to be carefully planned in
+ order to avoid confusion of logfile rotation vs. a log cleaner though.
+
+- check_patches for Solaris should generate better messages for security
+ and/or recommended patches (|R|S|). The check needs to be tested for
+ Solaris 9 too.
+ Also check_patches should only output information for packages installed.
+
+- check_known should be improved to detect for symlink attacks and
+ hard links in user writable directories (/tmp, /var/tmp and, in
+ some systems, /var/spool/mail too, the directory list might be
+ defined in tigerrc or extracted by parsing the file system)
+
+
+NEW CHECKS
+-----------
+- Create the following (generic) scripts:
+
+ - Check root $HOME files (might be redundant with check_path's)
+ - Do alias give the same as check_aliases?
+ - writable/executable check + word writable? (in find_files)
+ - Check for SAMBA configuration (checklist #20 SANS):
+ . encrypted passwords.
+ . 600 /etc/smbpasswd or /etc/samba/smbpasswd
+ . shares enabled/disabled
+ . guest access
+ . create mask (770)
+ - Check newer FTP (/etc/ftpaccess in newer Linux systems, ftpusers
+ is deprecated) see checklist #22 of SANS.
+ (DONE)- The check_inetd script should be improved to warn if echo/chargen..
+ services are enabled (SANS unix checklist #3 and Linux #4)
+ - SANS unix checklist #18
+ . Solaris /etc/system (noexec stack)
+ . Solaris locked accounts (#18 and #21)
+ . Solaris default/login
+ . Solaris /etc/default/kbd
+ - Partition checks (in Linux /etc/fstab, in Solaris /etc/vfstab),
+ if there is a /usr, /opt then read-only, if /var
+ or /tmp suggest nosuid (maybe noexec, although it's not a real
+ improvement). Separate partitions for /var, /usr, /tmp, /home
+ (boot?) so that no hard links attacks are possible.
+ In general user writable directories should be separated from
+ from system directories to avoid (hard) symlink attacks and
+ local DoS due to partitions being full.
+ In some installations /var/log or /var/spool (or /var/mail) might
+ make sense to be separated.
+ - Solaris /etc/notrouter to disable
+
+ - Suggested by Bob Hall:
+ * Check if any local file systems are being exported to
+ 'localhost'. Also check if the local host is in a netgroups
+ entry in its own exports file.
+ * Look for (unexpected) normal files under /dev.
+ (Note: included in 'check_devices', done?)
+ * Check for user startup files that call 'umask' with weak
+ settings. (Should be 022 or 027.)
+ (Note: included in 'check_umask' using GENPASSWDSETS, done?)
+ * Check that '-' is not the first character in a /etc/hosts.equiv
+ /etc/hosts.lpd, or .rhosts files. Also check for a '+' entry in
+ hosts.lpd file.
+ (Note: included in 'check_rhosts'?)
+ * If a system allows it, check for an /etc/shells file and look
+ if the permitted shells are in the system directories.
+ References:
+ http://www.cert.org/tech_tips/usc20.html
+ http://www.cert.org/advisories/CA-2001-30.html
+ http://www.ciac.org/ciac/bulletins/b-37.shtml
+ http://www.nswc.navy.mil/ISSEC/Docs/Ref/GeneralInfo/unixsecurity.nrl.txt
+
+ - Detect promiscous mode (DONE)
+ - Rootkits check, like chkrootkit (DONE)
+ Reference:
+ http://linux.oreillynet.com/pub/a/linux/2002/02/07/rootkits.html
+
+- Implement a check for configuration files for user's password policies
+ and other sensible configuration such as /etc/login.access, /etc/login.defs,
+ /etc/login.conf
+
+- Implement a generic script to test package management systems
+ (i.e. run 'rpm -Va' in RedHat, 'pkgchk' in Solaris). Most of these check:
+ md5sums, permissions, size, user/group ownerships...
+ These can be useful to detect trivial rootkits but might be redundant
+ when using also integrity checkers.
+ Note: The Debian deb_checkmd5sums only covers part of that (using
+ debsums), dpkg does not have a verify mode (see Debian Bug #187019)
+ References:
+ RedHat: http://www.rpm.org/max-rpm/ch-rpm-verify.html
+ http://www.rpm.org/max-rpm/s1-rpm-verify-what-to-verify.html
+
+- Convert scripts/check_network (RedHat-based) into a number of tests.
+ This is a script provided by Bryan Gartner from HP
+ It currently checks for:
+ - Inetd configuration files (are xinetd or inetd files writable?
+ are they owned by the proper user? does inetd use -l? does
+ xinetd have filelog or syslog?)
+ (Note: some checks moved to check_tcpd)
+ - Does /etc/securetty exist? Does it have other entries besides vc/tty?
+ Is ownership of the file ok?
+ - Is ip forwarding enabled?
+ - Which version of DNS/Wu-ftpd is it running?
+ (Note: this might not be completely feasible since the check_network
+ scripts connects to the server to retrieve the banner which is
+ something that Tiger should leave to other, remote, VA tools)
+ - PermitRooLogin or Rhosts in sshd?
+ - EXPN/VRFY support in mail host?
+ Necessary services:
+ - Is syslog running?
+ - Is omniback running?
+ Not allowed (per policy):
+ - Is fingerd running?
+ - Is identd runnig?
+ - Are inetd internal services running?
+ - Is a routing daemon enabled?
+ - R-commands?
+ - X server
+ - Tftpd
+ - NIS
+ - UUCP
+ - R-exd?
+ - NFS
+ Note: some of this is already done in check_inetd and check_xinetd so
+ many might be redundant.
+
+INTEGRATION CHECKS
+------------------
+(checks related to other tools that integrate them in the Tiger framework)
+
+- Tripwire: the 'tripwire_run' script has not been tested thoroughly
+ (mainly because in Debian it is already configured to execute
+ regular checks standalone)
+
+- Crack: same for 'crack_run' (for the same reason as for tripwire
+ it has not been tested thoroughly yet)
+
+- Other integrity checkers: aide, samhain, integrit...
+ (Note: done for aide and integrit for the moment)
+
+- Other password crackers: john
+
+- Logcheckers: swatch, logcheck, loganalysis, snort-logcheck
+ Note: Tiger currently does not do any log checking (see below)
+ I'm not sure if Tiger should provide a new one or re-use
+ existing ones and include them as an 'external' program to run
+ through a Tiger module. The benefit of using an accepted and use
+ log analysis tool is that Tiger can benefit from the database of
+ signatures of known attacks/non-issues. The problem is that the
+ sysadmin has to install yet another tool (if he is not using an OS
+ that already includes them) and, probably, some other stuff
+ (usually Perl) on which the tool itself is based.
+
+- User analysis: sac, hostsentry (part of Abacus, but non-free)
+
+- Network checks: Arpwatch, Snort
+
+(DONE)- Other tools: chkrootkit
+
+--- Javier Fernandez-Sanguino Pen~a <jfs at computer.org>
[...4962 lines suppressed...]
Note: the up-to-date TODO list is maintained through Savannah's Task Manager
(http://savannah.nongnu.org/pm/?group=tiger) this list is provided for the
commodity of those browsing the source code
@@ -43,12 +42,12 @@
the code of some checks or new checks written for them
. Integrated the secaudit database manager patch provided by the
Center for Information Technology, National Institutes of Health
-
. Integration of checks/bug fixes from TARA 3.0.3 version.
NOTE: Mostly done for all checks (except for check_sendmail)
Other utilities, such as buildbins changes, need to be checked.
. Full documentation and user manual describing checks, policy
(BS-7799) compliance and comparison with other tools and checks.
+ - Include tigerrc and cronrc manpages
. Provide other logging mechanisms (syslog, snmp) if tools are
available.
. Checks for SANS's Top 10 (generic) and Top 20 (UNIX) vulnerabilities
@@ -57,8 +56,9 @@
NOTE: Already included an annotated CERT list which determines which
are done and which are lacking
. Redhat (rpm) packages
- NOTE: The spec file provided as a patched is now included but it has
- not been tested (by me) to build RPM packages.
+ NOTE: The spec file provided as a patched is now included, I have tested
+ it to build RPM packages but I have not tested the RPM packages
+ themselves.
Released:
- Version 3.2 (stable): major bug fix version
@@ -84,38 +84,6 @@
(such as http://lists.insecure.org/lists/bugtraq/1998/Jun/0160.html
from Marc Heuse dated Fri Jun 26 1998 - 08:24:17 BST)
-- Convert scripts/check_network (RedHat based) into a number of tests.
- This is a script provided by Bryan Gartner from HP
- It currently checks for:
- - Inetd configuration files (are xinetd or inetd files writable?
- are they owned by the proper user? does inetd use -l? does
- xinetd have filelog or syslog?)
- (Note: some checks moved to check_tcpd)
- - Does /etc/securetty exist? Does it have other entries besides vc/tty?
- Is ownership of the file ok?
- - Is ip forwarding enabled?
- - Which version of DNS/Wu-ftpd is it running?
- (Note: this might not be completely feasible since the check_network
- scripts connects to the server to retrieve the banner which is
- something that Tiger should leave to other, remote, VA tools)
- - PermitRooLogin or Rhosts in sshd?
- - EXPN/VRFY support in mail host?
- Necessary services:
- - Is syslog running?
- - Is omniback running?
- Not allowed (per policy):
- - Is fingerd running?
- - Is identd runnig?
- - Are inetd internal services running?
- - Is a routing daemon enabled?
- - R-commands?
- - X server
- - Tftpd
- - NIS
- - UUCP
- - R-exd?
- - NFS
-
- Update signatures using TAMU's (and maybe knowngoods.org's) signature
database.
See http://savannah.nongnu.org/pm/task.php?group_project_id=472&group_id=2247&func=browse
@@ -123,88 +91,6 @@
- Improve support non-Linux OSs
https://savannah.nongnu.org/pm/task.php?group_id=2247&group_project_id=632
-- Modified the rhosts check so that it will check for shosts files too
- (or create a new check_shosts file)
-
-- Modify check_network to include hosts.lpd in the tests
-
-- Add .bash_profile into check_path
-
-- Create the following scripts:
- - Detect promiscous mode
- - Check root $HOME files (might be redundant with check_path's)
- - Do alias give the same as check_aliases?
- - writable/executable check + word writable? (in find_files)
- - Check for SAMBA configuration (checklist #20 SANS):
- . encrypted passwords.
- . 600 /etc/smbpasswd or /etc/samba/smbpasswd
- . shares enabled/disabled
- . guest access
- . create mask (770)
- - Check newer FTP (/etc/ftpaccess in newer Linux systems, ftpusers
- is deprecated) see checklist #22 of SANS.
- - The check_inetd script should be improved to warn if echo/chargen..
- services are enabled (SANS unix checklist #3 and Linux #4)
- - SANS unix checklist #18
- . Solaris /etc/system (noexec stack)
- . Solaris locked accounts (#18 and #21)
- . Solaris default/login
- . Solaris /etc/default/kbd
- - Partition checks (in Linux /etc/fstab, in Solars /etc/vfstab,
- if there is a /usr, /opt then read-only, if /var
- or /tmp nosuid. Separate /var,/usr,/tmp from /
- - Solaris /etc/notrouter to disable
- - Rootkits check, like chkrootkit
- Note: partially done
- Reference:
- http://linux.oreillynet.com/pub/a/linux/2002/02/07/rootkits.html
-
- - Suggested by Bob Hall:
- * Check if any local file systems are being exported to
- 'localhost'. Also check if the local host is in a netgroups
- entry in its own exports file.
- * Look for (unexpected) normal files under /dev.
- (Note: include in 'check_devices')
- * Check for user startup files that call 'umask' with weak
- settings. (Should be 022 or 027.)
- (Note: include in 'check_umask' using GENPASSWDSETS)
- * Check that '-' is not the first character in a /etc/hosts.equiv
- /etc/hosts.lpd, or .rhosts files. Also check for a '+' entry in
- hosts.lpd file.
- (Note: include in 'check_rhosts')
- * If a system allows it, check for an /etc/shells file and look
- if the permitted shells are in the system directories.
- References:
- http://www.cert.org/tech_tips/usc20.html
- http://www.cert.org/advisories/CA-2001-30.html
- http://www.ciac.org/ciac/bulletins/b-37.shtml
- http://www.nswc.navy.mil/ISSEC/Docs/Ref/GeneralInfo/unixsecurity.nrl.txt
-
-
-- Possible integration with other security tools:
- - Tripwire: the 'tripwire_run' script has not been tested thoroughly
- (mainly because in Debian it is already configured to execute
- regular checks standalone)
- - Crack: same for 'crack_run' (for the same reason as for tripwire
- it has not been tested thoroughly yet)
- - Other integrity checkers: aide, samhain, integrit...
- (Note: done for aide and integrit for the moment)
- - Other password crackers: john
- - Logcheckers: swatch, logcheck, loganalysis, snort-logcheck
- Tiger currently does not do any log checking (see below)
- I'm not sure if Tiger should provide a new one or re-use
- existing ones and include them as an 'external' program to run
- through a Tiger module. The benefit of using an accepted and use
- log analysis tool is that Tiger can benefit from the database of
- signatures of known attacks/non-issues. The problem is that the
- sysadmin has to install yet another tool (if he is not using an OS
- that already includes them) and, probably, some other stuff
- (like Perl) on which the tool itself is based.
-
- - User anaylisis: sac, hostsentry (part of Abacus, but non-free)
- - Network checks: Arpwatch, Snort
- - Other tools: chkrootkit
-
- Compare checks against other tools'
- Bastille/Titan: verify that each thing that they 'fix' (harden)
is checked by Tiger. Provide a relationship of modules in
@@ -218,8 +104,6 @@
to make simple checks than if using other monolythic tools (like CIS's,
OpenBSD's or SuSE's)
-- Implement logging to syslog (TARA 3.0.3 does it through logger)
-
- Implement IDMEF to send message on alerts. Consider the use of the XML
library available at http://www.silicondefense.com/idwg/snort-idmef/
or Prelude's libprelude
@@ -237,12 +121,16 @@
- IDEA http://idea-arch.sourceforge.net/
- Prelude http://www.prelude-ids.org/
-- Implement a check for configuration files for user's password policies
- and other sensible configuration such as /etc/login.access, /etc/login.defs,
- /etc/login.conf
+(DONE)- Implement logging to syslog (TARA 3.0.3 does it through logger)
+
+BUGS
+----
-- Add more information to the messages outputed for inetd services which
- might expose password information (Unix CERT configuration list item #2.4)
+- Gen_passwd_sets (all systems) sorts the passwd/shadow before joining,
+ if there are "similar" userfields with non-word characters (*, !) sorting
+ might not work as expected and the join will not show some of the users.
+ This needs to be fixed by sorting the userfield first and then using that
+ sort to sort the passwd fileS
--- Javier Fernandez-Sanguino Pen~a <jfs at computer.org>
--- tiger-3.2.1.orig/USING
+++ tiger-3.2.1/USING
@@ -72,7 +72,7 @@
there *is* new information.
This can be helpful to make Tiger behave as a Host Intrusion Detection
-System (HIDS) but it has some caveats, make sure to read README.hids
+System (HIDS) but it has some caveats, make sure to read README.hostids
if your intention is to use Tiger in this way.
------------------------------------------------------------------------
tiger-3.2.1-fixes.patch:
--- NEW FILE tiger-3.2.1-fixes.patch ---
--- ./config.fixes 2003-09-19 02:46:26.000000000 +0200
+++ ./config 2005-08-07 16:14:27.000000000 +0200
@@ -17,6 +17,16 @@
#
# config (top level) - 06/14/93
#
+# 06/22/2005 jfs Abort signature generation if the user does not
+# have permissions to change the directories signatures are
+# stored in.
+# 01/21/2005 jfs Safer creation of $WORKDIR if undefined
+# 08/13/2004 jfs Setup all locales as 'C' (Debian bug #270108)
+# 04/28/2004 jfs Changed -f RCFILE check to -r to allow use through ssh
+# as suggested by Falk Siemonsmeier:
+# cat /etc/tiger/tigerrc | ssh tiger -c /dev/stdin
+# 01/13/2004 jfs Added check when running with -f since on some (unconfigured)
+# systems this might fail.
# 08/19/2003 jfs tara -> Tiger in the usage
# 08/13/2003 jfs Added some of ARSC changes including:
# - support for signature generation (enhanced with also
@@ -47,8 +57,8 @@
# This is important to avoid problems with commands that are
# dependant on the defined language environment
LANG="C"
-LC_TIME="C"
-export LANG LC_TIME
+LC_ALL="C"
+export LANG LC_ALL
error_siggen()
{
dir=$1
@@ -70,7 +80,7 @@
if [ ! -d "$BASEDIR/systems/$OS/$REV/$ARCH/" ]
then
printf "Creating the directory $BASEDIR/systems/$OS/$REV/$ARCH/ where signatures will be stored..."
- mkdir -p "$BASEDIR/systems/$OS/$REV/$ARCH/"
+ mkdir -p "$BASEDIR/systems/$OS/$REV/$ARCH/" || { echo "Cannot create directory '$BASEDIR/systems/$OS/$REV/$ARCH/'!" >&2; exit 1; }
echo "...created"
fi
# NOTE: I'm not sure it's ok to create the directory since
@@ -92,7 +102,7 @@
then
printf "Generating and installing file access lists..."
$BASEDIR/util/mkfilelst
- mv "file_access_list.$OS-$REV-$ARCH" $BASEDIR/systems/$OS/$REV/$ARCH/file_access_list
+ mv "file_access_list.$OS-$REV-$ARCH" $BASEDIR/systems/$OS/$REV/$ARCH/file_access_list || { echo "Cannot move files to '$BASEDIR/systems/$OS/$REV/$ARCH/'!" >&2; exit 1; }
echo "...done"
else
error_siggen "$PWD" "file_access_list.$OS-$REV-$ARCH" "$WORKDIR"
@@ -104,13 +114,22 @@
do_usage()
{
echo "Tiger, version $TIGERVERSION"
-echo "Usage: ./tiger [-B dir] [-d dir|@host] [-w dir] [-b dir] [-e|-E] [-GH] [-q]"
+echo "Usage: ./tiger [-vthqGSH] [-B dir] [-l dir|@host] [-w dir] [-b dir] [-e|-E] [-c config] [-A arch] [-O os] [-R release]"
+echo ""
+echo " -v Show the Tiger version."
+echo ""
+echo " -t Run in test mode."
+echo ""
+echo " -h Show usage (this help)."
+echo ""
+echo " -q Supress messages to be as quiet as possible, only "
+echo " security messages will be shown."
echo ""
echo " -B name"
echo " Specify the directory where tiger is installed. If"
echo " not specified, '$BASEDIR' is used."
echo ""
-echo " -d name"
+echo " -l name"
echo " Specify the name of the directory where Tiger will"
echo " write the security report. This defaults to "
echo " '$LOGDIR'. The filename of the report will be of "
@@ -159,8 +178,16 @@
echo " same time. The checks will not be as in depth as"
echo " they would be if run on the client itself."
echo ""
-echo " -q Supress messages to be as quiet as possible, only "
-echo " security messages will be shown."
+echo "Overrides for values detected by the configuration system:"
+echo " -A arch"
+echo " Specify an alternate architecture for tiger"
+echo ""
+echo " -O os"
+echo " Specify an alternate operating system for tiger"
+echo ""
+echo " -R release"
+echo " Specify an alternate operating system release "
+echo " for tiger"
echo ""
echo "Report bugs at http://savannah.nongnu.org/projects/tiger"
}
@@ -203,7 +230,7 @@
fi
LOGDIR=${TigerLogDir:=.}
- WORKDIR=${TigerWorkDir:=${TMPDIR:=/tmp}}
+ WORKDIR="$TigerWorkDir"
RCFILE=${TigerConfigDir:=.}/tigerrc
IGNORE_FILE=${TigerConfigDir:=.}/tiger.ignore
TIGERHOMEDIR="$BASEDIR"
@@ -241,7 +268,6 @@
shift;
done
-
TIGERVERSION="`/bin/cat $TIGERHOMEDIR/version.h 2>/dev/null`"
[ ! -n "$TIGERVERSION" ] && TIGERVERSION="undetermined"
export TIGERVERSION
@@ -251,6 +277,19 @@
exit 0
}
+ if [ -z "$WORKDIR" ] ; then
+ WORKDIR=${TMPDIR:=/tmp}
+ ( umask 077; mkdir $WORKDIR/tiger.$$ ) || { echo "$0: Cannot create temporary directory" >&2; exit 1; }
+ WORKDIR="$WORKDIR/tiger.$$"
+ fi
+ # TODO: WORKDIR should be removed on exit if it is located in a temporary
+ # directory
+ if [ ! -d "$WORKDIR" ] ; then
+ echo "Configured working directory $WORKDIR does not exist" >&2
+ exit 1
+ fi
+
+
[ "$QUIET" != "Y" ] && echo "Configuring..."
set X `$BASEDIR/util/gethostinfo` unknown unknown unknown
@@ -336,8 +375,8 @@
done
}
- [ -n "$RCFILE" -a ! -f "$RCFILE" ] && {
- echo "Control file "$RCFILE" not found... exiting..."
+ [ -n "$RCFILE" -a ! -r "$RCFILE" ] && {
+ echo "Control file "$RCFILE" not defined or not readable... exiting..."
exit 1
}
@@ -345,7 +384,7 @@
# Preprocess the RC file, to export variables to environment
#
- [ -n "$RCFILE" -a -f $RCFILE ] && {
+ [ -n "$RCFILE" -a -r $RCFILE ] && {
$GREP -v '^#' $RCFILE |
$SED -e 's/^\(.*\)=/export \1; \1=/' > $WORKDIR/rcfile.$$
. $WORKDIR/rcfile.$$
@@ -357,7 +396,9 @@
then
# Linux hostname has the -f option for FQDN... (jfs)
# (others?)
- HOSTNAME=`$GETHOSTNAME -f`
+ HOSTNAME=`$GETHOSTNAME -f 2>/dev/null`
+# But sometimes this will fail.... (if the system is not properly setup)
+ [ $? -ne 0 ] && HOSTNAME=`$GETHOSTNAME`
fi
for file in './site-$HOSTNAME' '$BASEDIR/site-$HOSTNAME' './site' '$BASEDIR/site'
@@ -388,4 +429,8 @@
. $WORKDIR/tigercmds.$$
$RM -f $WORKDIR/tigercmds.$$
}
+
+ # set the PATH
+ PATH=/sbin:/usr/sbin:/bin:/usr/bin
+ export PATH
}
--- ./tigercron.in.fixes 2003-08-19 18:34:27.000000000 +0200
+++ ./tigercron.in 2005-08-07 16:14:27.000000000 +0200
@@ -248,6 +248,7 @@
done >> $WORKDIR/tigcron.diff.$$
[ ! -n "$Tiger_Mail_RCPT" ] && Tiger_Mail_RCPT="root"
+[ ! -n "$Tiger_Mail_FROM" ] && Tiger_Mail_FROM="root@$HOSTNAME"
length=1
if [ ! -n "$EGREP" ] ; then
@@ -257,13 +258,13 @@
[ -s "$WORKDIR/tigcron.diff.$$" -a $length -gt 0 ] && {
send="Y"
[ "$Tiger_Cron_SendOKReports" = "N" ] &&
- [ -z "`grep ERR $WORKDIR/tigcron.diff.$$`" ] &&
+ [ -z "`grep ERR $WORKDIR/tigcron.diff.$$`" ] &&
[ -z "`grep WARN $WORKDIR/tigcron.diff.$$`" ] && {
send="N"
}
haveallcmds MAILER && [ "$send" = "Y" ] && {
# Mail header (so it does not just say it's root
- echo "From: Tiger automatic auditor at $HOSTNAME <root@$HOSTNAME>"
+ echo "From: \"Tiger automatic auditor at $HOSTNAME\" <$Tiger_Mail_FROM>"
echo "Subject: Tiger Auditing Report for $HOSTNAME"
echo
cat $WORKDIR/tigcron.diff.$$
--- ./tigercron.fixes 2003-08-19 19:37:42.000000000 +0200
+++ ./tigercron 2005-08-07 16:14:27.000000000 +0200
@@ -256,6 +256,7 @@
done >> $WORKDIR/tigcron.diff.$$
[ ! -n "$Tiger_Mail_RCPT" ] && Tiger_Mail_RCPT="root"
+[ ! -n "$Tiger_Mail_FROM" ] && Tiger_Mail_FROM="root@$HOSTNAME"
length=1
if [ ! -n "$EGREP" ] ; then
@@ -271,7 +272,8 @@
}
haveallcmds MAILER && [ "$send" = "Y" ] && {
# Mail header (so it does not just say it's root
- echo "From: Tiger automatic auditor at $HOSTNAME <root@$HOSTNAME>"
+ echo "From: \"Tiger automatic auditor at $HOSTNAME\" <$Tiger_Mail_FROM>"
+ echo "To: $Tiger_Mail_RCPT"
echo "Subject: Tiger Auditing Report for $HOSTNAME"
echo
cat $WORKDIR/tigcron.diff.$$
--- ./initdefs.fixes 2003-10-10 19:05:48.000000000 +0200
+++ ./initdefs 2005-08-07 16:14:27.000000000 +0200
@@ -16,6 +16,13 @@
#
# initdefs - 06/14/93
#
+# initdefs - 01/10/2005 - cslater - Modified ignore function so that
+# filtering can also be done on msgid and level
+# initdefs - 08/01/2004 - jfs - Allow removal from LOGDIR so that tiger -e
+# works as expected
+# initdefs - 10/15/2003 - jfs - Quoted $__File in deleted() in order
+# for the check_rootkit check to work properly.
+# (Debian bug #215882)
# initdefs - 10/10/2003 - jfs - Improved check so that it will not
# remove files created by a different user and
# warn if files to be deleted do not exist
@@ -117,14 +124,14 @@
do
if [ -n "$LS" ]
then
- if [ -z "`$LS $__file 2>/dev/null`" ]
+ if [ -z "`$LS \"$__file\" 2>/dev/null`" ]
then
# echo "--ERROR-- [post001e] File \`$__file' will not be removed since it does not exist"
goahead=0
fi
if [ $goahead -eq 1 -a -n "$AWK" -a -n "$UUID" ]
then
- if [ "$UUID" != "`$LS -nl $__file | $AWK '{print $3}'`" ]
+ if [ "$UUID" != "`$LS -nl \"$__file\" | $AWK '{print $3}'`" ]
then
echo "--ERROR-- [post001e] File \`$__file' will not be removed since it has not been created by the current user (symlink attack?)."
goahead=0
@@ -134,6 +141,7 @@
[ $goahead -eq 1 ] && {
eval "case \"\$__file\" in
$WORKDIR*) $RM -f \"\$__file\";;
+ $LOGDIR*) $RM -f \"\$__file\";;
*) echo \"--ERROR-- [post001e] File \\\`\$__file' not removed.\";;
esac"
}
@@ -164,7 +172,7 @@
__len=${Tiger_Output_Width:=79}
# If the message should be ignore it is removed
- ignore_message "$_mesg" && return
+ ignore_message "$_level $_msgid $_mesg" && return
[ "$HTML" = "N" ] && {
@@ -505,15 +513,15 @@
if [ $__script_owner -eq $UUID ]; then
$__script_run
else
- echo "--ERROR-- [misc024w] The $__script_run script will not be run since it is owned by a user ($__script_owner) different than the one running Tiger ($UUID)"
+ echo "--ERROR-- [misc024e] The $__script_run script will not be run since it is owned by a user ($__script_owner) different than the one running Tiger ($UUID)"
__error=1
fi
else
- echo "--ERROR-- [misc025w] The $__script_run will not be run since it is not executable"
+ echo "--ERROR-- [misc025e] The $__script_run will not be run since it is not executable"
__error=1
fi
else
- echo "--ERROR-- [misc005w] Can't find '$script'..."
+ echo "--ERROR-- [misc005e] Can't find '$script'..."
__error=1
fi
done
--- ./c/getpermit.c.fixes 2002-06-14 10:51:31.000000000 +0200
+++ ./c/getpermit.c 2005-08-07 16:14:27.000000000 +0200
@@ -3,6 +3,7 @@
#include <sys/stat.h>
#include <pwd.h>
#include <grp.h>
+#include <string.h>
/*
tiger - A UN*X security checking system
Copyright (C) 1993 Douglas Lee Schales, David K. Hess, David R. Safford
--- ./tiger.fixes 2003-10-07 00:20:24.000000000 +0200
+++ ./tiger 2005-08-07 16:14:27.000000000 +0200
@@ -21,6 +21,11 @@
# all the checks configured for your system in the tigerrc configuration
# file.
#
+# 05/14/2005 jfs Patch from Nicolas François which fixes aide output handling
+# 01/25/2005 cslater Added separate config variable for
+# check_passwdformat.
+# 01/15/2003 jfs Check should use INETDCONF (and not INETDFILE).
+# (Temporary fix: defined it if undefined)
# 09/03/2003 jfs Included check_ssh to the checks
# 08/19/2003 jfs check_cron is now check_crontabs
# 08/15/2003 jfs Integrated ARSC log to syslog mechanism but modified
@@ -43,7 +48,7 @@
echo "Tiger UN*X security checking system"
echo " Developed by Texas A&M University, 1994"
echo " Updated by the Advanced Research Corporation, 1999-2002"
-echo " Further updated by Javier Fernandez-Sanguino, 2001-2003"
+echo " Further updated by Javier Fernandez-Sanguino, 2001-2005"
echo " Covered by the GNU General Public License (GPL)"
echo
TigerInstallDir="."
@@ -195,7 +200,7 @@
run_script find_files >> $logtmp
else
echo "`$TIMECMD`> Starting file systems scans in background..."
- $SCRIPTDIR/find_files > $WORKDIR/fsscan.log$$ &
+ $SCRIPTDIR/find_files > $WORKDIR/fsscan.log$$ 2>/dev/null &
fspid=$!
fi
}
@@ -243,6 +248,9 @@
[ "$Tiger_Check_PASSWD" != 'N' ] && {
echo "`$TIMECMD`> Checking password files..."
run_script check_passwd >> $logtmp
+}
+
+[ "$Tiger_Check_PASSWD_FORMAT" != 'N' ] && {
echo "`$TIMECMD`> Checking password format..."
run_script check_passwdformat >> $logtmp
}
@@ -301,10 +309,21 @@
}
[ "$Tiger_Check_INETD" != 'N' ] && {
- echo "`$TIMECMD`> Checking 'inetd' configuration..."
- run_script check_inetd >> $logtmp
- echo "`$TIMECMD`> Checking 'tcpd' configuration..."
- run_script check_tcpd >> $logtmp
+ # Temporary definition until all the config files (and gen_inetd
+ # scripts) are updated.
+ [ -z "$INETDCONF" ] && INETDCONF="/etc/inetd.conf"
+ [ -z "$XINETDCONF" ] && XINETDCONF="/etc/xinetd.conf"
+
+ [ -n "$INETDCONF" ] && [ -f "$INETDCONF" ] && {
+ echo "`$TIMECMD`> Checking 'inetd' configuration..."
+ run_script check_inetd >> $logtmp
+ echo "`$TIMECMD`> Checking 'tcpd' configuration..."
+ run_script check_tcpd >> $logtmp
+ }
+ [ -n "$XINETDCONF" ] && [ -f "$XINETDCONF" ] && {
+ echo "`$TIMECMD`> Checking 'xinetd' configuration..."
+ run_script check_xinetd >> $logtmp
+ }
}
[ "$Tiger_Check_SERVICES" != 'N' ] && {
@@ -427,6 +446,16 @@
run_script check_ftpusers >> $logtmp
}
+[ "$Tiger_Check_OMNIBACK" != 'N' ] && {
+ echo "`$TIMECMD`> Checking omniback configuration..."
+ run_script check_omniback >> $logtmp
+}
+
+[ "$Tiger_Check_NTP" != 'N' ] && {
+ echo "`$TIMECMD`> Checking NTP configuration..."
+ run_script check_ntp >> $logtmp
+}
+
#
# When not doing checks of all setuid executables, we can do
# embedded checks while the file system scans are running.
@@ -480,8 +509,8 @@
[ -n "$aidepid" ] && {
echo "`$TIMECMD`> Waiting for Aide to finish..."
wait $aidepid
- $CAT $tripout >> $logtmp
- delete $tripout
+ $CAT $aideout >> $logtmp
+ delete $aideout
} 2>/dev/null
#echo "`$TIMECMD`> Security report completed for ${HOSTNAME}."
--- ./util/getfs-nfs.fixes 2003-04-21 10:02:04.000000000 +0200
+++ ./util/getfs-nfs 2005-08-07 16:14:27.000000000 +0200
@@ -58,7 +58,3 @@
done
#
exit 0
-#
-exit 0
-#
-exit 0
--- ./util/getfs-amd.fixes 2003-04-21 10:02:04.000000000 +0200
+++ ./util/getfs-amd 2005-08-07 16:14:48.000000000 +0200
@@ -63,7 +63,7 @@
$SORT > $WORKDIR/gfsa2.$$
if [ -s $WORKDIR/gfsa2.$$ ]; then
- $JOIN -a1 -j 1 -o 1.2 1.3 2.2 $WORKDIR/gfsa1.$$ $WORKDIR/gfsa2.$$ |
+ $JOIN -a1 -j 1 -o "1.2 1.3 2.2" $WORKDIR/gfsa1.$$ $WORKDIR/gfsa2.$$ |
while read user dir location
do
echo $user $dir ${location:=$HOSTNAME}
@@ -79,7 +79,3 @@
$RM -f $WORKDIR/gfsa1.$$ $WORKDIR/gfsa2.$$
#
exit 0
-#
-exit 0
-#
-exit 0
--- ./util/getfs-std.fixes 2003-04-21 10:02:04.000000000 +0200
+++ ./util/getfs-std 2005-08-07 16:14:27.000000000 +0200
@@ -20,6 +20,8 @@
#-----------------------------------------------------------------------------
#
+[ -z "$SED" ] && SED=`which sed`
+
haveallof()
{
retval=0
@@ -44,7 +46,3 @@
#
exit 0
-#
-exit 0
-#
-exit 0
--- ./util/getfs-automount.fixes 2003-04-21 10:02:04.000000000 +0200
+++ ./util/getfs-automount 2005-08-07 16:15:17.000000000 +0200
@@ -62,7 +62,7 @@
$SORT > $WORKDIR/gfsa2.$$
if [ -s $WORKDIR/gfsa2.$$ ]; then
- $JOIN -a1 -j 1 -o 1.2 1.3 2.2 $WORKDIR/gfsa1.$$ $WORKDIR/gfsa2.$$ |
+ $JOIN -a1 -j 1 -o "1.2 1.3 2.2" $WORKDIR/gfsa1.$$ $WORKDIR/gfsa2.$$ |
while read user dir location
do
if [ ! -n "$location" ]; then
@@ -86,7 +86,3 @@
$RM -f $WORKDIR/gfsa1.$$ $WORKDIR/gfsa2.$$
#
exit 0
-#
-exit 0
-#
-exit 0
--- ./config.in.fixes 2003-08-19 18:34:00.000000000 +0200
+++ ./config.in 2005-08-07 16:14:27.000000000 +0200
@@ -24,6 +24,7 @@
# 04/15/2003 jfs Modified to support -B to work in the local dir
# 04/21/2003 jfs Modified to only use hostname -f for Linux _and_
# moved hostname check after RCFILE parsing!
+# 08/13/2004 jfs Setup all locales as 'C' (Debian bug #270108)
#
#-----------------------------------------------------------------------------
#
@@ -38,8 +39,8 @@
# This is important to avoid problems with commands that are
# dependant on the defined language environment
LANG="C"
-LC_TIME="C"
-export LANG LC_TIME
+LC_ALL="C"
+export LANG LC_ALL
checkfile()
{
@@ -79,7 +80,7 @@
fi
LOGDIR=${TigerLogDir:=.}
- WORKDIR=${TigerWorkDir:=${TMPDIR:=/tmp/}}
+ WORKDIR="$TigerWorkDir"
RCFILE=${TigerConfigDir:=.}/tigerrc
IGNORE_FILE=${TigerConfigDir:=.}/tiger.ignore
TIGERHOMEDIR="$BASEDIR"
@@ -124,6 +125,19 @@
exit 0
}
+ if [ -z "$WORKDIR" ] ; then
+ WORKDIR=${TMPDIR:=/tmp}
+ ( umask 077; mkdir $WORKDIR/tiger.$$ ) || { echo "$0: Cannot create temporary directory" >&2; exit 1; }
+ WORKDIR="$WORKDIR/tiger.$$"
+ fi
+ # TODO: WORKDIR should be removed on exit if it is located in a temporary
+ # directory
+ if [ ! -d "$WORKDIR" ] ; then
+ echo "Configured working directory $WORKDIR does not exist" >&2
+ exit 1
+ fi
+
+
echo "Configuring..."
set X `$BASEDIR/util/gethostinfo` unknown unknown unknown
tiger-3.2.1-gcc4.patch:
--- NEW FILE tiger-3.2.1-gcc4.patch ---
--- ./c/realpath.c.gcc4 2005-08-06 23:54:13.000000000 +0200
+++ ./c/realpath.c 2005-08-07 00:04:17.000000000 +0200
@@ -55,8 +55,8 @@
#endif
#ifdef __STDC__
-extern char *getwd(char * const);
-extern int readlink(char * const, char * const, const size_t);
+//extern char *getwd(char * const);
+//extern int readlink(char * const, char * const, const size_t);
extern char *my_realpath(const char *, char [], int);
extern char *_realpath(char [], int);
#else
@@ -109,7 +109,7 @@
int linkcount = 0;
if(path[0] != '/'){
- getwd(buffer);
+ getwd(buffer, sizeof(buffer));
prevslash = buffer+strlen(buffer);
strcpy(prevslash,"/");
strcpy(prevslash+1,path);
tiger-3.2.1-scripts.patch:
--- NEW FILE tiger-3.2.1-scripts.patch ---
--- ./scripts/sub/check_devs.scripts 2002-06-14 10:51:31.000000000 +0200
+++ ./scripts/sub/check_devs 2006-05-01 10:21:40.000000000 +0200
@@ -69,7 +69,7 @@
eval $greps | $GREP -v '^'/hw> $WORKDIR/dev.list.$$
[ -s $WORKDIR/dev.list.$$ ] && {
- message WARN fsys006a "" "Unexpected device files found:"
+ message ALERT fsys006a "" "Unexpected device files found:"
$SORT $WORKDIR/dev.list.$$ |
while read file
do
--- ./scripts/sub/check_names.scripts 2002-06-14 10:51:31.000000000 +0200
+++ ./scripts/sub/check_names 2006-05-01 10:21:40.000000000 +0200
@@ -53,10 +53,10 @@
file="`$BASENAME \"$pathname\"`"
case "$file" in
.FSP*)
- echo "--WARN-- [fsys009w] FSP server control file found:"
+ message WARN fsys009w "" "FSP server control file found:"
$LS $LSGROUP -ld "$pathname";;
*)
- echo "--ALERT-- [fsys005a] Unusual filename \`$file' found:"
+ message ALERT fsys005a "" "Unusual filename \`$file' found:"
$LS $LSGROUP -ld "$pathname";;
esac
done
--- ./scripts/sub/check_suid.scripts 2002-10-28 17:22:46.000000000 +0100
+++ ./scripts/sub/check_suid 2006-05-01 10:21:40.000000000 +0200
@@ -18,6 +18,10 @@
# sub/check_suid - 06/14/93
#
#-----------------------------------------------------------------------------
+# TODO
+# - Consider fixing the Tiger_Admin_Accounts check so that it takes into
+# account Tiger_Accounts_Trust too
+#-----------------------------------------------------------------------------
# This script is not runnable directly.
#
inputfile="$1"
@@ -65,6 +69,18 @@
$LS $LSGROUP -ld "$file"
}
+ getpermit "$file" 2>/dev/null |
+ while read _file owner group ur uw ux gr gw gx or ow ox suid sgid stk
+ do
+ eval "case \"$owner\" in
+ \"$Tiger_Admin_Accounts\"|root)
+ ;;
+ *)
+ message FAIL fsys0012w \"\" \"File $file is not owned by an administrative user.\"
+ $LS $LSGROUP -ld \"$file\"
+ esac"
+ done
+
case "$file" in
*xterm) {
message WARN misc013w "" "$file: see CERT Advisory CA-93:17 about a security hole in xterm (does not apply to HP-UX)."
@@ -162,7 +178,7 @@
haveallcmds LS AWK && {
[ -s $WORKDIR/suid.list.$$ ] && {
- message INFO fsys004i "" 'The following setuid programs are non-standard:'
+ message ALERT fsys004a "" 'The following setuid programs are non-standard:'
while read file
do
$LS $LSGROUP -ld "$file"
--- ./scripts/sub/check_wdir.scripts 2002-10-28 17:22:46.000000000 +0100
+++ ./scripts/sub/check_wdir 2006-05-01 10:21:40.000000000 +0200
@@ -78,7 +78,7 @@
eval $greps > $WORKDIR/wdir.tmp.$$
[ -s $WORKDIR/wdir.tmp.$$ ] && {
- echo "--INFO-- [fsys008i] The following directories are world writable:"
+ message FAIL fsys008f "" 'The following directories are world writable:'
$SORT $WORKDIR/wdir.tmp.$$
}
--- ./scripts/sub/check_sgid.scripts 2002-06-14 10:51:31.000000000 +0200
+++ ./scripts/sub/check_sgid 2006-05-01 10:21:40.000000000 +0200
@@ -89,7 +89,7 @@
haveallcmds LS AWK && {
[ -s $WORKDIR/sgid.list.$$ ] && {
- message INFO fsys011i "" 'The following setgid programs are non-standard:'
+ message ALERT fsys011a "" 'The following setgid programs are non-standard:'
while read file
do
$LS $LSGROUP -ld "$file"
--- ./scripts/sub/check_embed.scripts 2002-06-14 10:51:31.000000000 +0200
+++ ./scripts/sub/check_embed 2006-05-01 10:21:40.000000000 +0200
@@ -184,7 +184,7 @@
}
done 2>/dev/null |
$SORT -u |
- $JOIN -o 1.2 2.1 2.2 - $oldfile |
+ $JOIN -o "1.2 2.1 2.2" - $oldfile |
$AWK '{
if($3 != "")
printf("%s %s->%s\n", $1, $2, $3);
@@ -222,14 +222,14 @@
fi
done |
$SORT -u |
- $JOIN -o 2.1 2.2 - $WORKDIR/scr.$$
+ $JOIN -o "2.1 2.2" - $WORKDIR/scr.$$
> $oldfile
[ -s $newfile ] && {
$SORT -u $newfile $record > $record.new
$SORT -u $newfile |
- $JOIN -o 2.1 2.2 - $WORKDIR/scr.$$ |
+ $JOIN -o "2.1 2.2" - $WORKDIR/scr.$$ |
$SORT -u > $oldfile
}
@@ -282,9 +282,5 @@
done
delete $newfile $oldfile $record $WORKDIR/tmp1.$$
-#
-exit 0
-#
-exit 0
-#
+
exit 0
--- ./scripts/sub/check_links.scripts 2002-06-14 10:51:31.000000000 +0200
+++ ./scripts/sub/check_links 2006-05-01 10:23:12.000000000 +0200
@@ -49,17 +49,17 @@
haveallfiles WORKDIR || exit 1
$REALPATH < $file |
-$SORT +1 > $WORKDIR/link.tmp.$$
+$SORT -k 1 > $WORKDIR/link.tmp.$$
$GREP -v '^#' $FILE_ACL |
$SORT |
-$JOIN -j2 2 -o 2.1 2.2 1.1 - $WORKDIR/link.tmp.$$ |
+$JOIN -2 2 -o "2.1 2.2 1.1" - $WORKDIR/link.tmp.$$ |
while read file realfile facl
do
$LS -ld $LSGROUP "$file" | {
read p l owner group s a b c f
[ "$owner" != 'root' -a "$owner" != 'bin' ] && {
- echo "--INFO-- [fsys007i] Symbolic link \`$file' points to \`$realfile'."
+ message INFO fsys007i "" "Symbolic link \`$file' points to \`$realfile'."
}
}
done
--- ./scripts/check_ftpusers.scripts 2003-10-07 00:24:00.000000000 +0200
+++ ./scripts/check_ftpusers 2006-05-01 10:21:40.000000000 +0200
@@ -20,6 +20,8 @@
# Analyses the system's /etc/ftpusers and determines if the administrative
# users are in that file.
#
+# 03/31/2005 jfs Allow FTPUSERS to be customised (some OS have it
+# in alternate locations)
# 10/01/2003 jfs Removed passwd files if not used any longer.
#
# 07/25/2002 jfs Added a sanity check for password files.
@@ -90,9 +92,13 @@
Tiger_Accounts_Trust = 999
export Tiger_Accounts_Trust
}
+FTPUSERS=/etc/ftpusers
+if [ "$OS" = "SunOS" -a ! -e "$FTPUSERS" ] ; then
+ FTPUSERS=/etc/ftpd/ftpusers
+fi
# Do this only if ftpusers exists
-if [ -f /etc/ftpusers ]; then
+if [ -f "$FTPUSERS" ]; then
if [ -n "$Tiger_PasswdFiles" ]; then
[ -f $Tiger_PasswdFiles ] && $CAT "$Tiger_PasswdFiles" > $WORKDIR/pass.list.$$
@@ -111,14 +117,14 @@
# user=`echo $line | $AWK -F: '($3 <= $Tiger_Accounts_Trust) { print $1 }'`
# Note: root is removed since it is checked for in check_root
- [ -n "$user" -a "$user" != "root" ] && [ -z "`$GREP \"^$user\" /etc/ftpusers`" ] &&
- message FAIL netw018f "" "Administrative user $user allowed access in /etc/ftpusers"
+ [ -n "$user" -a "$user" != "root" ] && [ -z "`$GREP \"^$user\" $FTPUSERS`" ] &&
+ message FAIL netw018f "" "Administrative user $user allowed access in $FTPUSERS"
done
[ ! -n "$Tiger_PasswdFiles" ] && delete $passwd_set $passwd_set.src
done
else
- message FAIL netw020f "" "There is no /etc/ftpusers file."
+ message FAIL netw020f "" "There is no $FTPUSERS file."
fi
--- ./scripts/check_printcap.scripts 2003-05-01 19:47:06.000000000 +0200
+++ ./scripts/check_printcap 2006-05-01 10:21:40.000000000 +0200
@@ -19,6 +19,9 @@
#
[...11883 lines suppressed...]
- $RM -f $WORKDIR/p.$$
+ $RM $WORKDIR/u.$$
+ $RM $WORKDIR/p.$$
+ $RM $WORKDIR/s.$$
else
- echo "--FAIL-- [run001e] The file /etc/shadow is available but not readable by the user running Tiger."
+ echo "--ERROR-- [run001e] The file /etc/shadow is available but not readable by the user running Tiger."
fi
else
@@ -135,20 +168,40 @@
echo "--WARN-- [miscxxxx] The '+' key in the /etc/passwd file should only be used in nsswitch 'compat' mode."
}
- [ "$source" = compat ] && [ -n "$YP" ] && {
- $YPCAT passwd > $WORKDIR/nis_passwd.$$
+ [ "$source" = "compat" ] && [ -n "$YPCAT" ] && {
+ $YPCAT passwd > $WORKDIR/nis_passwd.$$ 2>/dev/null
+ if [ $? -eq 0 ] ; then
echo "NIS" > $WORKDIR/nis_passwd.$$.src
echo $WORKDIR/nis_passwd.$$ >> $outfile
+ else
+ # Ypcat has not succeeded, remove the temporary file
+ $RM $WORKDIR/nis_passwd.$$
+ fi
}
;;
- nis) [ "$local" != 1 ] && {
- $YPCAT passwd > $WORKDIR/nis_passwd.$$
+ nis) [ "$local" != 1 ] && [ -n "$YPCAT" ] && {
+ $YPCAT passwd > $WORKDIR/nis_passwd.$$ 2>/dev/null
+ $YPCAT passwd > $WORKDIR/nis_passwd.$$ 2>/dev/null
+ if [ $? -eq 0 ] ; then
echo "NIS" > $WORKDIR/nis_passwd.$$.src
echo $WORKDIR/nis_passwd.$$ >> $outfile
+ else
+ # Ypcat has not succeeded, remove the temporary file
+ $RM $WORKDIR/nis_passwd.$$
+ fi
}
;;
-# This is from SunOS, what do to do for Linux?
+ ldap) [ "$local" != 1 ] && [ -n "$GETENT" ] && {
+ $GETENT passwd > $WORKDIR/ldap_passwd.$$ 2>/dev/null
+ if [ $? -eq 0 ] ; then
+ echo $WORKDIR/ldap_passwd.$$ >> $outfile
+ else
+ $RM $WORKDIR/ldap_passwd.$$
+ fi
+ }
+ ;;
+# This is from SunOS, what should we do here for Linux? (if anything)
# nisplus) [ "$local" != 1 ] && {
# $NISCAT passwd.org_dir > $WORKDIR/nisplus_passwd.$$
# echo "NIS+" > $WORKDIR/nisplus_passwd.$$.src
@@ -161,4 +214,4 @@
done
-
+exit 0
--- ./systems/default/gendlclients.scripts 2002-06-14 10:51:31.000000000 +0200
+++ ./systems/default/gendlclients 2006-05-01 10:21:41.000000000 +0200
@@ -16,6 +16,8 @@
# Please see the file `COPYING' for the complete copyright notice.
#
# default/gendlclients - MM/DD/YY
+# 05/02/2004 jfs Try to avoid eval problems if handling variables with
+# special characters (such as space)
#
#-----------------------------------------------------------------------------
#
@@ -49,5 +51,5 @@
$SORT -u |
while read client server filesys
do
- eval "case $server in $HOSTNAMESLIST) echo $client $filesys;; esac"
+ eval "case \"$server\" in $HOSTNAMESLIST) echo \"$client $filesys\";; esac"
done
--- ./systems/default/gen_bootparam_sets.scripts 2002-06-14 10:51:31.000000000 +0200
+++ ./systems/default/gen_bootparam_sets 2006-05-01 10:21:41.000000000 +0200
@@ -41,7 +41,7 @@
echo "$WORKDIR/etc_bootparams.$$"
}
-[ -n "$YP" ] && {
+[ -n "$YPCAT" ] && {
$YPCAT bootparams > $WORKDIR/nis_bootparams.$$
echo "NIS" > $WORKDIR/nis_bootparams.$$.src
echo "$WORKDIR/nis_bootparams.$$"
--- ./systems/default/gen_services.scripts 2002-06-14 10:51:31.000000000 +0200
+++ ./systems/default/gen_services 2006-05-01 10:21:41.000000000 +0200
@@ -28,7 +28,7 @@
echo "/etc/services" > $WORKDIR/etc_services.$$.src
echo $WORKDIR/etc_services.$$
-[ -n "$YP" ] && {
+[ -n "$YPCAT" ] && {
$YPCAT services > $WORKDIR/nis_services.$$
echo "NIS" > $WORKDIR/nis_services.$$.src
echo $WORKDIR/nis_services.$$
--- ./systems/default/gen_alias_sets.scripts 2002-06-14 10:51:31.000000000 +0200
+++ ./systems/default/gen_alias_sets 2006-05-01 10:21:41.000000000 +0200
@@ -53,7 +53,7 @@
echo $WORKDIR/etc_aliases.$$
}
-[ -n "$YP" ] && {
+[ -n "$YPCAT" ] && {
$YPCAT -k aliases |
$SED -e 's/ /:/' |
$SORT |
--- ./systems/default/check_ndd.scripts 2003-08-09 12:32:45.000000000 +0200
+++ ./systems/default/check_ndd 2006-05-01 10:21:41.000000000 +0200
@@ -23,6 +23,8 @@
#
# 07/11/2003 rbradetich at uswest.net - Initial version.
#
+# 05/02/2004 jfs Try to avoid eval problems if handling variables with
+# special characters (such as space)
# 08/09/2003 jfs - Placed in the generic default directory for Unix systems
# so that systems can run them using 'check'
#
@@ -87,7 +89,7 @@
do
([ -z "$dev" ] || [[ $dev = \#* ]]) && continue
val=`$NDD -get $dev $parm 2>/dev/null`
- eval "case $val in
+ eval "case \"$val\" in
$good)
;;
*)
--- ./systems/default/gen_group_sets.scripts 2002-06-14 10:51:31.000000000 +0200
+++ ./systems/default/gen_group_sets 2006-05-01 10:21:41.000000000 +0200
@@ -31,7 +31,7 @@
echo "/etc/group" > $WORKDIR/etc_group.$$.src
echo $WORKDIR/etc_group.$$
-[ -n "$YP" ] && {
+[ -n "$YPCAT" ] && {
$YPCAT group |
$SORT |
$COMM -23 - $WORKDIR/etc_group.$$ > $WORKDIR/nis_group.$$
--- ./systems/default/gen_passwd_sets.scripts 2002-06-14 10:51:31.000000000 +0200
+++ ./systems/default/gen_passwd_sets 2006-05-01 10:21:41.000000000 +0200
@@ -17,9 +17,23 @@
#
# default/gen_passwd_sets - 06/14/93
#
+# 11/18/2003 - jfs - Check if YPCAT is available before calling it. Also
+# sanity checks for other commands.
+#
#-----------------------------------------------------------------------------
#
+[ ! -n "$SORT" ] && SORT=`which sort`
+[ ! -n "$GREP" ] && GREP=`which grep`
+[ ! -n "$AWK" ] && AWK=`which awk`
+[ ! -n "$JOIN" ] && JOIN=`which join`
+[ ! -n "$CAT" ] && CAT=`which cat`
+[ ! -n "$RM" ] && RM=`which rm`
+[ ! -n "$SED" ] && SED=`which sed`
+[ ! -n "$YPCAT" ] && YPCAT=`which ypcat`
+[ ! -n "$NISCAT" ] && NISCAT=`which niscat`
+[ ! -n "$WORKDIR" ] && WORKDIR=/tmp
+
local=0
for parm
do
@@ -34,7 +48,7 @@
echo "/etc/passwd" > $WORKDIR/etc_passwd.$$.src
echo $WORKDIR/etc_passwd.$$ >> $outfile
-[ -n "$YP" ] && {
+[ -n "$YPCAT" ] && {
$YPCAT passwd > $WORKDIR/nis_passwd.$$
echo "NIS" > $WORKDIR/nis_passwd.$$.src
echo $WORKDIR/nis_passwd.$$ >> $outfile
--- ./util/getnetgroup.scripts 2003-04-21 10:02:04.000000000 +0200
+++ ./util/getnetgroup 2006-05-01 10:21:41.000000000 +0200
@@ -25,7 +25,7 @@
done
}
-[ "$YP" = "" ] && {
+[ "$YPCAT" = "" ] && {
echo "$targets"
exit 0
}
--- ./util/buildconf.scripts 2003-08-15 00:20:41.000000000 +0200
+++ ./util/buildconf 2006-05-01 10:21:41.000000000 +0200
@@ -126,7 +126,6 @@
GETFS mount
GETHOSTNAME hostname
GREP grep
-GROUPC groups
GROUPSS groups
HEAD head
ID id
--- NEW FILE tiger-3.2.1.tar.gz.sig ---
ˆ?��
--- NEW FILE tiger.README ---
Tiger for Fedora
----------------
PLEASE NOTE:
Some of the checks do not apply completely to Fedora systems
or Fedora's defaults are somewhat different. This might lead to
somethings being reported as a security issue when they really
aren't (known in the security field as 'false positives')
In some cases this might be Tiger's problem (of it being an old UNIX
auditing program) or it might be Fedora's. If you feel a security report
is not appropriate to your system discuss it in the
fedora-extras-list at redhat.com mailing list.
If you really think it's a BUG of Tiger, then send a bug-report
for the package at https://bugzilla.redhat.com.
Please make sure you look at current (open) bugs there.
This package is in its first versions, and there is a lot of room
for improvement, so please report what you find inappropriate.
Configuration
-------------
First of all make sure to read, understand and customize
/etc/tiger/tigerrc and /etc/tiger/cronrc to adapt to your local security
policy, as the warning on installation says "You cannot expect to tiger to work
fully to your needs without adapting it". Bugs regarding false positives
which can be fixed by the proper configuration and/or use of templates (see below)
will be set to "wishlist", even if the bug submitter thinks they are
"serious".
Using Templates
---------------
Tiger in Fedora can compare against "templates" when running through
a cron job. That is, you can take a given log from a previous run
(at /var/log/tiger) rename it with a ".template" instead of a ".[number]"
and place it under /etc/tiger/templates.
Tiger checks will compare against it. That way Tiger will only report issues
when they changed from the template (if configured in /etc/tiger/tigerrc).
Another (less secure) method is to have Tiger only report changes from previous
runs, please note that in this setup problems will only be reported *once*
in cron jobs, regardless of importance. This is the default behavior, that
is, this will work just after installation.
KNOWN ISSUES
------------
(these are *not* BUGS)
- shells on default users. It should check if the services are enabled
(i.e. the user is useful here).
TODO
----
- Possible new checks:
. check all files and see if they are of the same user/group as their root dir
. look for files with no uid in /etc/passwd and gid in /etc/group
- Warn about updates with "yum check-update"
- Use rpm -V to check which files have changed
TESTING
-------
. Check for files not in /usr/local and /home
not owned by any package (easy with rpm -qf) (Note: Currently looks only
in binary paths /bin /usr/bin... not in all the filesystem)
Debian-specific adaptations made by Javier Fernandez-Sanguino Peña <jfs at computer.org>
Imported and adapted for Fedora by Aurelien Bompard <gauret[AT]free.fr>
--- NEW FILE tiger.cron ---
#
# Regular cron jobs for the tiger package
#
0 * * * * root test -x /usr/sbin/tigercron && /usr/sbin/tigercron -q
--- NEW FILE tiger.ignore ---
# Fedora uses a "mail" group to allow some access to /var/spool/mail.
Login ID mail's home directory \(/var/spool/mail\) has group `mail' write access.
# Fedora uses a "gdm" group to allow GDM to write ti /var/gdm
Login ID gdm's home directory \(/var/gdm\) has group `gdm' write access.
# nfsnobody is not a real user account, thus it does not have shell init file in its homedir
Login ID nfsnobody may be missing a shell initialization file /var/lib/nfs/.nologinrc.
# Standard perm in Fedora: 664
Log file /var/log/wtmp permission should be 644
/var/log/wtmp should not have group write.
# Standard perm in Fedora: 600
Log file /var/log/btmp permission should be 660
# Standard perm in Fedora: 664
Log file /var/run/utmp permission should be 644
# Does not exist in Fedora
Log file /var/log/loginlog does not exist
# Standard perm in Fedora: 600
Log file /var/log/messages permission should be 640
# Does not exist by default in Fedora
Root crontab does not exist
# Standard service ports in Fedora
The port for service fsp is also assigned to service ftp.
The port for service whois is also assigned to service nicname.
The port for service www is also assigned to service http.
The port for service snmp-trap is also assigned to service snmptrap.
The port for service z3950 is also assigned to service z39.50.
The port for service ulistserv is also assigned to service ulistproc.
The port for service route is also assigned to service router.
The port for service font-service is also assigned to service xfs.
The port for service kerberos4 is also assigned to service kerberos-iv.
The port for service krb_prop is also assigned to service krb5_prop.
The port for service ssmtp is also assigned to service smtps.
The port for service rmtcfg is also assigned to service bvcontrol.
The port for service zebrasrv is also assigned to service hpstgmgr.
The port for service zebra is also assigned to service discp-client.
The port for service ripd is also assigned to service discp-server.
The port for service ripngd is also assigned to service servicemeter.
The port for service ospfd is also assigned to service nsc-ccs.
The port for service bgpd is also assigned to service nsc-posa.
The port for service ospf6d is also assigned to service netmon.
The port for service kpasswd is also assigned to service rxe.
The port for service kx is also assigned to service dsatp.
The port for service moira_db is also assigned to service entomb.
The port for service moira_update is also assigned to service multiling-http.
The port for service predict is also assigned to service eoss.
The port for service xtelw is also assigned to service pdps.
The port for service ndtp is also assigned to service search.
The port for service afmbackup is also assigned to service zarkov.
The port for service pcrd is also assigned to service esri_sde.
The port for service mrtd is also assigned to service hyperscsi-port.
The port for service bgpsim is also assigned to service v5ua.
The port for service sane is also assigned to service sane-port.
The port for service omniorb is also assigned to service radan-http.
# Set in /etc/bashrc
There are no umask entries in /etc/profile
# Set in /etc/csh/cshrc
There are no umask entries in /etc/csh.login
# Standard perm in Fedora: 4666
/dev/log has world permissions
# Standard perm in Fedora: 644
/dev/rtc has world permissions
# Standard perm in Fedora: 666
/dev/ptmx has world permissions
# Normal in Fedora
The directory /dev/snd resides in a device directory.
# Standard perm in Fedora: 644
/etc/xinetd.conf permissions are not 600.
# Standard perm in Fedora: 644
/etc/xinetd.d/.* permissions are not 600.
# Normal in Fedora
Group root\(0\) has got the following members: root
# Normal in Fedora
Group bin\(1\) has got the following members: root,bin,daemon
# Normal in Fedora
Group daemon\(2\) has got the following members: root,bin,daemon
# Normal in Fedora
Login halt has a group id of 0 which should be reserved for root
# Normal in Fedora
Login operator has a group id of 0 which should be reserved for root
# Normal in Fedora
Login shutdown has a group id of 0 which should be reserved for root
# Normal in Fedora
Login sync has a group id of 0 which should be reserved for root
--- NEW FILE tiger.ignore.server ---
# Mysql database server
Program mysqld \(pid [[:digit:]]+, parent [[:digit:]]+\) is using a deleted file: .* /var/log/mysql/mysql\.err\.[[:digit:]]+ \(deleted\)
Program mysqld \(pid [[:digit:]]+, parent [[:digit:]]+\) is using a deleted file: .* /tmp/.* \(deleted\) and is a a server listening on port\(s\) mysql
# Apache web server
Server /usr/sbin/apache \(pid [[:digit:]]+\) is using deleted files
Program apache \(pid [[:digit:]]+, parent [[:digit:]]+\) is using a deleted file: .* /tmp/session_mm_apache0.sem \(deleted\)
The parent process of server /usr/sbin/apache \(pid [[:digit:]]+\) is using deleted files
# Cupds printer daemon
Server /usr/sbin/cupsd \(pid [[:digit:]]+\) is using deleted files
Program cupsd \(pid [[:digit:]]+, parent [[:digit:]]+\) is using a deleted file: .* /var/log/cupsd/error_log\..* \(deleted\)
#Mailman list manager
Program python \(pid [[:digit:]]+, parent [[:digit:]]+\) is using a deleted file: .* /var/log/mailman/.* \(deleted\)
# Squid proxy
Server \(squid\) .* \(pid [[:digit:]]+\) is using deleted files
# SSH users accessing remotely with X11 forwarding 'on'
The process `sshd' is listening on socket 6[[:digit:]]+ (TCP on loopback interface) is run by .*
--- NEW FILE tiger.spec ---
Name: tiger
Version: 3.2.1
Release: 4%{?dist}
Summary: Security auditing on UNIX systems
Group: Applications/System
License: GPL
URL: http://www.nongnu.org/tiger/
Source0: http://savannah.nongnu.org/download/tiger/tiger-3.2.1.tar.gz
Source1: http://savannah.nongnu.org/download/tiger/tiger-3.2.1.tar.gz.sig
Source2: tiger.cron
Source3: tiger.ignore
Source4: tiger.ignore.server
Source5: tiger.README
Patch0: tiger-3.2.1-autotools.patch
# Default configuration
Patch1: tiger-3.2.1-config.patch
# Mainly typos
Patch2: tiger-3.2.1-doc.patch
# Fixes in the checking scripts and additional scripts
Patch3: tiger-3.2.1-scripts.patch
# Various fixes
Patch4: tiger-3.2.1-fixes.patch
# Fix for one small C program
Patch5: tiger-3.2.1-gcc4.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: autoconf, recode
Requires: bash, vixie-cron
%description
TIGER, or the "tiger" scripts, is a set of Bourne shell scripts,
C programs and data files which are used to perform a security audit
of UNIX systems. It is designed to hopefully be easy to use, easy to
understand and easy to enhance.
%prep
%setup -q -n tiger
%patch0 -p1 -b .autotools
%patch1 -p1 -b .config
# No backup, or the files will be copied in the buildroot
#%patch2 -p1 -b .doc
#%patch3 -p1 -b .scripts
%patch2 -p1
%patch3 -p1
%patch4 -p1 -b .fixes
%patch5 -p1 -b .gcc4
find . -name "*.rpmorig" | xargs rm -f
find . -name "*.orig" | xargs rm -f
find . -name "*.old" | xargs rm -f
recode ISO-8859-1..UTF-8 man/tiger.8.in
install -p -m 644 %{SOURCE5} README.Fedora
# Remove CVS dirs
find . -type d -name CVS | xargs rm -rf
%build
autoconf
%configure \
--with-tigerhome=%{_libdir}/tiger \
--with-tigerwork=%{_localstatedir}/run/tiger/work \
--with-tigerlog=%{_localstatedir}/log/tiger \
--with-tigerbin=%{_sbindir} \
--with-tigerconfig=%{_sysconfdir}/tiger
make %{?_smp_mflags}
%install
rm -rf $RPM_BUILD_ROOT
make install DESTDIR=$RPM_BUILD_ROOT
mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/cron.d
mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/tiger/templates
install -p -m 644 %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/cron.d/tiger
install -p -m 600 %{SOURCE3} $RPM_BUILD_ROOT%{_sysconfdir}/tiger/tiger.ignore
install -p -m 644 version.h $RPM_BUILD_ROOT%{_libdir}/tiger
for system in AIX HPUX IRIX NeXT SunOS UNICOS UNICOSMK Tru64 MacOSX; do
rm -rf $RPM_BUILD_ROOT%{_libdir}/tiger/systems/${system};
done
ln -s %{_sbindir}/tigexp $RPM_BUILD_ROOT%{_libdir}/tiger/tigexp
mkdir examples
cp -p cronrc tigerrc tigerrc-all tigerrc-dist tigerrc-TAMU \
site-sample site-saturn %{SOURCE4} examples
chmod 644 examples/*
# Perm fixes
chmod +x $RPM_BUILD_ROOT%{_libdir}/tiger/systems/Linux/2/check_*
# Documentation (in %%doc)
rm -rf $RPM_BUILD_ROOT%{_libdir}/tiger/html
%clean
rm -rf $RPM_BUILD_ROOT
%files
%defattr(-,root,root,-)
%doc USING BUGS.EXTERN DESCRIPTION CREDITS README README.1st README.hostids
%doc README.ignore README.linux README.signatures README.sources
%doc README.time README.unsupported README.writemodules TODO README.Fedora
%doc COPYING examples html
%{_mandir}/man*/*
%{_sbindir}/*
%{_libdir}/tiger
%{_localstatedir}/run/tiger
%{_localstatedir}/log/tiger
%config(noreplace) %{_sysconfdir}/tiger
%config %{_sysconfdir}/cron.d/tiger
%changelog
* Sat May 13 2006 Aurelien Bompard <gauret[AT]free.fr> 3.2.1-4
- include the COPYING file
- put HTML doc in %%doc
- drop useless logos
- fix %%description
- remove CVS dirs in %%prep
- Thanks to Hans de Goede in bug 165311
* Sat Apr 22 2006 Aurelien Bompard <gauret[AT]free.fr> 3.2.1-3
- don't backup some patches, or the files will be copied in the buildroot
- set conf files to noreplace
- fix manpage encoding
* Sun Apr 02 2006 Aurelien Bompard <gauret[AT]free.fr> 3.2.1-2
- fix arguments for "sort" and "tail" in patch3
* Sat Aug 06 2005 Aurelien Bompard <gauret[AT]free.fr> 3.2.1-1
- initial package, importing Debian's fixes
Index: .cvsignore
===================================================================
RCS file: /cvs/extras/rpms/tiger/devel/.cvsignore,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- .cvsignore 13 May 2006 21:36:56 -0000 1.1
+++ .cvsignore 13 May 2006 21:38:59 -0000 1.2
@@ -0,0 +1 @@
+tiger-3.2.1.tar.gz
Index: sources
===================================================================
RCS file: /cvs/extras/rpms/tiger/devel/sources,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- sources 13 May 2006 21:36:56 -0000 1.1
+++ sources 13 May 2006 21:38:59 -0000 1.2
@@ -0,0 +1 @@
+7c4d6dc7c56b3b6f8fa349eca7f8e41d tiger-3.2.1.tar.gz
More information about the scm-commits
mailing list