How good is tiger

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I'm looking for a reasonable tool to install on a debian server to check for
any compromises.

I have chkrootkit running already - but wonder if tiger would be worth

Or maybe I should go the whole hog and add tripwire or other detection



Re: How good is tiger

Quoted text here. Click to load it

I was _going_ to say that Tiger was completely obsolete, having been
abandoned by its original TAMU maintainers a long time ago.  However, I
see that it's being resurrected.  On the third hand, the fact that the
most recent release was from late 2003 doesn't lend much confidence.

If you're trying chkrootkit, then you might as well run rkhunter, as
well.  I _hope_ you're doing this while running from a maintenance boot
CD (or such) that is itself known to be uncompromised.
Security-scanning a suspect system from within itself has obvious
problems:  _If_ it's root-compromised, then you cannot trust what it

Quoted text here. Click to load it

That would be useful at this point _provided_ you have a time machine,
can go back to before the suspected security breach, and can install /
configure it then.  All that Tripwire, AIDE, Samhain, Prelude-IDS, etc.
can do at this point is say "Yep, the hash values from those suspect
binaries are unchanged from yesterday.  Still suspect."

Suggestion:  Really, one of the most-reliable ways to detect compromise
is to know your system well enough to spot it behaving in peculiar and
suspect ways that it's not supposed to, that could not have been
arranged without stealing root authority.  Please note that that, even
more than the use of AIDE, was what tipped off the Debian Project's
sysadmins in 2003:

Site Timeline