Tiger is History, Long Live Modern Alternatives!
Recently I saw some tweets showing up from an old friend: Tiger. Surprised to see it being promoted, as I know the tool for years, but never seen any new releases in the last years. Both are actually a shame. An outdated tool is usually of lower value. Promoting old tools might actually disappoint others and harm the initial trust in the software.
History of Tiger
In its day, the tool was quite good. Seeing the tool is still being reviewed on blogs, this might be a good opportunity to check out the tool (again). At the same time, it might be a good to learn about some modern alternatives to Tiger, which are more up-to-date with current technologies. Let’s start with the history first and then dive into what we can learn from the project. Tiger is still presented as the “The Unix security audit and intrusion detection tool”.
Due to the lack of updates, the value of this statement has been going down rapidly over the years. This was a different story when security tool first was released. At the Texas Universit the tool was created and released for duty. It was the same time several other tools were available, like SATAN and COPS. Those working early on with Linux, will most likely remember the names.
Development
Unfortunately the project developments stalled several times. The project is open about it at its website, and shows even a merger of several projects, to keep going on. Despite that, the project is now stalled again, showing no progress for years. It is very common to see this happening with open source project, usually because of decreasing interest by the developers to continue development. Combining an open source project along your own work, family and personal time, is not easy. As an open source author myself I experienced several times that the pressure of continuously maintaining a hobby project can be overwhelming. Other reasons for why open source project stall, include a declining need for such a tool. In the case of Tiger this might not have been the case, if it was continuously being developed and kept up with its latest development. It might have been as simple as the lack of properly promotion the project, resulting in the “good vibes” to continue and attact new contributors.
Tiger Alternatives
Nowadays Tiger has several good alternatives, ranging from both open and closed source solutions. If you purely look at open source alternatives for Tiger, our own tool Lynis comes to mind. Another option is using OpenSCAP.
OpenSCAP
With the goal to automate security settings and apply hardening, the OpenSCAP project is getting some traction. SCAP is a protocol defined by NIST, storing security related information. The goal using this information at a later stage (e.g. auditing or hardening).
OpenSCAP itself is licensed under the LGPL license. At the same time we see people struggle with its implementation, especially because releases are tailored to individual releases of the operating system. So if you are running the newest version of your OS, you might sometimes have to wait 6 months for support. Additionally, the main focus is Red Hat systems, including CentOS and Fedora. This is not surprising due to them being the main driver behind the project. This is also the reason why you find the software back in their Satellite product.
Fortunately, other operating systems are slowly adopting SCAP content as well, like a recent addition of OpenSCAP to Debian. The hardening profiles used with OpenSCAP are predefined. The risk is that they might not be in line with your needs, or even crippling the main purpose of the system. So beware that this is not a fire-and-forget solution. However if you have thousands of similar versions of RHEL and want them all to be the same, then OpenSCAP is definitely a great choice for you.
Lynis
Lynis is available since 2007, open source and released under GPLv3. Its focus is on performing security audits, similar to Tiger. It does not apply hardening, as it recognizes that every system can be different. It does help users to detect possible weaknesses and room for improvement, yet giving the user the control to decide what changes make sense.
The project can be found on GitHub, ensuring people can easily submit issues and contribute to the project. This helps the project with continuous development and supporting newer technologies like Docker containers.
To really understand the power of Lynis, you have to look inside the source code itself. The colored output might actually look like it was written in a higher programming language like Python. The truth is that is shell script, based on the bourne shell (not to be confused with BASH!). So it runs really on all Unix-based systems, including appliances, storage devices and your Raspberry Pi.
Another powerful item from the tooling is that no compilation or installation is needed. This makes it great for running it on a system, without the need for installation or changing the system itself. IT auditors and security professionals really love this during their security assessments.
Maybe the strongest reason to use Lynis is that it will run on even the newest versions of your operating system. This is because of the “opportunistic” scanning behavior of the tool. It simply tries to detect and use as much system utilities as possible, without requiring them as a dependency. This way it can always find improvements, even though is has no predefined policy.
OpenSCAP and Lynis are both great alternatives to the now outdated Tiger tool. So if you are in need to perform compliance testing, system hardening or simply want a security checkup, give them both a try!