tigercron - Cron utility for Tiger UNIX Security Checker
tigercron [controlfile] [-B basedir] [tigeroptions...]
Tigercron is used to run periodically checks from the Tiger UNIX
Security Checker. Tigercron reads a control file which is usually
located in ’/etc/tiger/cronrc’ although it can also be specificied as
the first argument when calling the program. The format of this
control file is the same as for the cron program, each line indicates
when different checks from Tiger will be run. The user can indicate
where Tiger is installed through the -B basedir parameter, any other
additional options provided in the command line will be passed on to
configure to configure Tiger based on them (as described in tiger (8)).
Tigercron runs the specified checks and compares their reports with
previous stored reports (under /var/log/tiger). It will then mail the
user defined in ’/etc/tiger/tigerrc’ (Tiger_Mail_RCPT) the results.
When a module is run, tigercron checks:
· If Tiger_Cron_Template is set to Y in tigerrc. If it is, it checks
if there is a template stating which are the expected results.
· If Tiger_Cron_CheckPrev is set to Y in tigerrc. If it is, it checks
if there is a previous run of the module it can check against.
A differential report is generated depending on the module reports and
previous run and is sent through e-mail. These reports provide an easy
way to detect intrusions even if no configuration of templates has been
done. In the event of an intrusion a Tiger check might detect something
specific (file changes, new processes, new users, etc.) and this alert
mechanism provides a way to turn Tiger into a Host Intrusion Detection
The ability of it to work as a proper HIDS is based on a good
customization of the cronrc file. Modules that check events to which
the host is most exposed to should be run often in order to detect
deviations from normal behaviour.
Tigercron uses the same options as Tiger. A controlfile can be defined
also to override the default.
Configuration file for the Tiger tool.
Configuration file for the Tigercron tool.
Location of the log messages generated by Tiger when run through
Working directory used by Tiger scripts to create temporary
The deficiencies of using tigercron as a HIDS are described in the file
README.hostids which is provided with the package. In Debian GNU/Linux
you will find this (and other related) documentation at
Currently Tigercron has only one alert mechanism (mail) and signatures
are not supported. Thus, alerts could be faked. Also, it is dependant
on cron and will not work if cron is not working.
This manpage was written by Javier Fernandez-Sanguino.