Tiger (security software)

Last updated
Tiger Security Tool
Developer(s) Javier Fernández-Sanguino
Initial release1994
Stable release
3.2.3 / March 3, 2010;9 years ago (2010-03-03)
Operating system Unix, Linux, Solaris
Available in English
Type Security Audit, Intrusion Detection System
License GPL
Website http://www.nongnu.org/tiger/

Tiger is a security software for Unix-like computer operating systems. It can be used both as a security audit tool and a host-based intrusion detection system and supports multiple UNIX platforms. Tiger is free under the GPL license and unlike other tools, it needs only of POSIX tools, and is written entirely in shell language.

Unix-like Operating system that behaves in a manner similar to a Unix system

A Unix-like operating system is one that behaves in a manner similar to a Unix system, while not necessarily conforming to or being certified to any version of the Single UNIX Specification. A Unix-like application is one that behaves like the corresponding Unix command or shell. There is no standard for defining the term, and some difference of opinion is possible as to the degree to which a given operating system or application is "Unix-like".

An information security audit is an audit on the level of information security in an organization. Within the broad scope of auditing information security there are multiple types of audits, multiple objectives for different audits, etc. Most commonly the controls being audited can be categorized to technical, physical and administrative. Auditing information security covers topics from auditing the physical security of data centers to auditing the logical security of databases and highlights key components to look for and different methods for auditing these areas.

An intrusion detection system (IDS) is a device or software application that monitors a network or systems for malicious activity or policy violations. Any malicious activity or violation is typically reported either to an administrator or collected centrally using a security information and event management (SIEM) system. A SIEM system combines outputs from multiple sources and uses alarm filtering techniques to distinguish malicious activity from false alarms.


Tiger is based on a set of modular scripts that can be run either together or independently to check different aspects of a UNIX system including the review of:


Tiger was originally developed by Douglas Lee Schales, Dave K. Hess, Khalid Warraich, and Dave R. Safford in 1992 at Texas A&M University. [1] [2] The tool was originally developed to provide a check of UNIX systems on the A&M campus that had to be accessed from off campus and, consequently, required clearance through the network security measures set in place. It was developed after a coordinated attack in August 1992 to computers in the campus. The campus system administrators needed something that any user could use to test the system's security and run if they could figure out how to get it down to their machines. The tool was presented in the Fourth USENIX Security Symposium. It was written at the same time that other auditing tools such as COPS, SATAN and Internet Security Scanner were written. Eventually, after the 2.2.4 version, which was released in 1994, development of Tiger stalled. [3]

Texas A&M University Public research university in College Station, Texas, United States

Texas A&M University is a public research university founded in 1876 and located in College Station, Texas. In 1948, Texas A&M University became the founding member of the Texas A&M University System. As of 2017, Texas A&M's student body is the largest in Texas and one of the largest in the United States. Texas A&M's designation as a land, sea, and space grant institution–the only university in Texas to hold all three designations–reflects a range of research with ongoing projects funded by organizations such as the National Aeronautics and Space Administration (NASA), the National Institutes of Health, the National Science Foundation, and the Office of Naval Research. In 2001, Texas A&M was inducted as a member of the Association of American Universities. The school's students, alumni—over 450,000 strong—and sports teams are known as Aggies. The Texas A&M Aggies athletes compete in 18 varsity sports as a member of the Southeastern Conference.

The Computer Oracle and Password System (COPS) was the first vulnerability scanner for Unix operating systems to achieve widespread use. It was created by Dan Farmer while he was a student at Purdue University. Gene Spafford helped Farmer start the project in 1989.

Three different forks evolved after Tiger: TARA (developed by Advanced Research Computing Tiger Analytical Research Assistant), one internally developed by the HP corporation by Bryan Gartner and the last one developed for the Debian GNU/Linux distribution by Javier Fernández-Sanguino (current upstream maintainer). All the forks aimed at making Tiger work in newer versions of different UNIX operating systems.

Debian Linux distribution based on free and open-source software

Debian, also known as Debian GNU/Linux, is a Linux distribution composed of free and open-source software, developed by the community-supported Debian Project, which was established by Ian Murdock on August 16, 1993. The first version, Debian 0.01, was released on September 15, 1993, and the first stable version, 1.1, was released on June 17, 1996. The Debian Stable branch is the most popular edition for personal computers and servers, and is the basis for many other distributions.

These forks were merged in May 2002 and in June 2002 the new source code, now labeled as the 3.0 release, was published in the download section of the newly created Savannah site. Following this merge, the following releases were published:

In information security and programming, a buffer overflow, or buffer overrun, is an anomaly where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory locations.

SunOS is a Unix-branded operating system developed by Sun Microsystems for their workstation and server computer systems. The SunOS name is usually only used to refer to versions 1.0 to 4.1.4, which were based on BSD, while versions 5.0 and later are based on UNIX System V Release 4, and are marketed under the brand name Solaris.

Linux Family of free and open-source software operating systems based on the Linux kernel

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991, by Linus Torvalds. Linux is typically packaged in a Linux distribution.


Tiger has some interesting features including a modular design that is easy to expand. It can be used as an audit tool and a host-based intrusion detection system tool as described in the program's manpage [4] and in the source code documentation (README.hostids).

Tiger complements Intrusion Detection System (IDS) (from network IDS Snort), to the kernel (Log-based Intrusion Detection System or LIDS, or SNARE for Linux and Systrace for OpenBSD, for example), integrity checkers (many of these: AIDE, integrit, Samhain, Tripwire...) and logcheckers, providing a framework in which all of them can work together while checking the system configuration and status.

Related Research Articles

IBM AIX Unix operating system from IBM

AIX is a series of proprietary Unix operating systems developed and sold by IBM for several of its computer platforms. Originally released for the IBM RT PC RISC workstation, AIX now supports or has supported a wide variety of hardware platforms, including the IBM RS/6000 series and later POWER and PowerPC-based systems, IBM System i, System/370 mainframes, PS/2 personal computers, and the Apple Network Server.

Cygwin Unix subsystem for Windows machines

Cygwin is a POSIX-compatible environment that runs natively on Microsoft Windows. Its goal is to allow programs of Unix-like systems to be recompiled and run natively on Windows with minimal source code modifications by providing them with the same underlying POSIX API they would expect in those systems.

Security-Enhanced Linux Linux kernel security module

Security-Enhanced Linux (SELinux) is a Linux kernel security module that provides a mechanism for supporting access control security policies, including mandatory access controls (MAC).

rc command line interpreter for Version 10 Unix and Plan 9 from Bell Labs operating systems

rc is the command line interpreter for Version 10 Unix and Plan 9 from Bell Labs operating systems. It resembles the Bourne shell, but its syntax is somewhat simpler. It was created by Tom Duff, who is better known for an unusual C programming language construct.

GoboLinux free and open source operating system

GoboLinux is an open source operating system whose most prominent feature is a reorganization of the traditional Linux file system. Rather than following the Filesystem Hierarchy Standard like most Unix-like systems, each program in a GoboLinux system has its own subdirectory tree, where all of its files may be found. Thus, a program "Foo" has all of its specific files and libraries in /Programs/Foo, under the corresponding version of this program at hand. For example, the commonly known GCC compiler suite version 8.1.0, would reside under the directory /Programs/GCC/8.1.0.

The Filesystem Hierarchy Standard (FHS) defines the directory structure and directory contents in Linux distributions. It is maintained by the Linux Foundation. The latest version is 3.0, released on 3 June 2015.

Virtual file system abstraction layer on top of one or more concrete file system, allowing applications to access files via a uniform logical representation

A virtual file system (VFS) or virtual filesystem switch is an abstract layer on top of a more concrete file system. The purpose of a VFS is to allow client applications to access different types of concrete file systems in a uniform way. A VFS can, for example, be used to access local and network storage devices transparently without the client application noticing the difference. It can be used to bridge the differences in Windows, classic Mac OS/macOS and Unix filesystems, so that applications can access files on local file systems of those types without having to know what type of file system they are accessing.

A chroot on Unix operating systems is an operation that changes the apparent root directory for the current running process and its children. A program that is run in such a modified environment cannot name files outside the designated directory tree. The term "chroot" may refer to the chroot(2) system call or the chroot(8) wrapper program. The modified environment is called a chroot jail.

In computing, hardening is usually the process of securing a system by reducing its surface of vulnerability, which is larger when a system performs more functions; in principle a single-function system is more secure than a multipurpose one. Reducing available ways of attack typically includes changing default passwords, the removal of unnecessary software, unnecessary usernames or logins, and the disabling or removal of unnecessary services.

The fstab file is a system configuration file commonly found at /etc/fstab on Unix and Unix-like computer systems. In Linux it is part of the util-linux package. The fstab file typically lists all available disk partitions and other types of file systems and data sources that are not necessarily disk-based, and indicates how they are to be initialized or otherwise integrated into the larger file system structure.

HFS Plus or HFS+ is a journaling file system developed by Apple Inc. It replaced the Hierarchical File System (HFS) as the primary file system of Apple computers with the 1998 release of Mac OS 8.1. HFS+ continued as the primary Mac OS X file system until it was itself replaced with the release of the Apple File System (APFS) with macOS High Sierra in 2017. HFS+ is also one of the formats used by the iPod digital music player. It is also referred to as Mac OS Extended or HFS Extended, where its predecessor, HFS, is also referred to as Mac OS Standard or HFS Standard. During development, Apple referred to this file system with the code name Sequoia.

ifconfig is a system administration utility in Unix-like operating systems for network interface configuration.

CFEngine is an open-source configuration management system, written by Mark Burgess. Its primary function is to provide automated configuration and maintenance of large-scale computer systems, including the unified management of servers, desktops, consumer and industrial devices, embedded networked devices, mobile smartphones, and tablet computers.


chkrootkit is a common Unix-based program intended to help system administrators check their system for known rootkits. It is a shell script using common UNIX/Linux tools like the strings and grep commands to search core system programs for signatures and for comparing a traversal of the /proc filesystem with the output of the ps command to look for discrepancies.

LAMP (software bundle) software bundle

LAMP is an archetypal model of web service stacks, named as an acronym of the names of its original four open-source components: the Linux operating system, the Apache HTTP Server, the MySQL relational database management system (RDBMS), and the PHP programming language. The LAMP components are largely interchangeable and not limited to the original selection. As a solution stack, LAMP is suitable for building dynamic web sites and web applications.

In the field of computer network administration, pcap is an application programming interface (API) for capturing network traffic. While the name is an abbreviation of the technical term of art (jargon) packet capture, that is not the API's proper name. Unix-like systems implement pcap in the libpcap library; for Windows, there is a port of libpcap named WinPcap that is no longer supported or developed, and a port named Npcap for Windows 7 and later that is still supported.

cdrtools is a collection of independent projects of free software/open source computer programs, created by Jörg Schilling and others.


OSSIM is an open source security information and event management system, integrating a selection of tools designed to aid network administrators in computer security, intrusion detection and prevention.

Lynis is an extensible security audit tool for computer systems running Linux, FreeBSD, macOS, OpenBSD, Solaris, and other Unix-derivatives. It assists system administrators and security professionals with scanning a system and its security defenses, with the final goal being system hardening.

systemd Init system and system/service manager for Linux systems

The systemd software suite provides fundamental building blocks for a Linux operating system. It includes the systemd "System and Service Manager", an init system used to bootstrap user space and manage user processes.


  1. Mann, Scott; Mitchell, Ellen L. (2000). Linux System Security . Upper Saddle River, NJ: Prentice Hall PTR. p.  341. ISBN   0-13-015807-0.
  2. Safford, David R.; Lee Schales, Douglas; David K., Hess (1993). "The TAMU Security Package: An Ongoing Response to Internet Intruders in an Academic Environment". Proceedings of the Fourth USENIX Security Symposium.
  3. http://www.net.tamu.edu/network/tools/tiger.html
  4. Fernandez-Sanguino, Javier. "Tiger program manpage" . Retrieved 14 January 2018.