--- tiger-3.2.4~rc1.orig/config +++ tiger-3.2.4~rc1/config @@ -17,6 +17,10 @@ # # config (top level) - 06/14/93 # +# 08/19/2018 jfs Allow the use of a 'default' directory in each OS +# which makes it possible to have a symlink pointing to +# the most generic definition until a specific definition +# is created (if required) # 08/04/2011 jfs Fix setting of CONFIG_DIR when using the default # 10/06/2010 jfs Do not complain if the working directory is a temporary # on (Debian bug #589089) @@ -348,6 +352,12 @@ echo " configuration files for generic $OS $REL." } CONFIG_DIR="$CONFIG_LOC/$OS/$REL" + elif [ -f "$CONFIG_LOC/$OS/default/config" ]; then + [ "$QUIET" != "Y" ] && { + echo "--CONFIG-- [con005c] Using default configuration files for $OS. Using" + echo " configuration files for generic $OS" + } + CONFIG_DIR="$CONFIG_LOC/$OS/$REL" elif [ -f "$CONFIG_LOC/$OS/config" ]; then [ "$QUIET" != "Y" ] && { echo "--CONFIG-- [con005c] No configuration files for $OS $REV. Using" --- tiger-3.2.4~rc1.orig/debian/changelog +++ tiger-3.2.4~rc1/debian/changelog @@ -1,11 +1,41 @@ -tiger (1:3.2.3-16) UNRELEASED; urgency=medium +tiger (1:3.2.4~rc1-2) unstable; urgency=medium + + * debian/config: Remove only files using xarg instead of -exec. + Use rmdir to remove the main directory instead of using find. + (Closes: #931581, #931926) + * debian/rules: + - Fix the code creating symlinks (Closes: #909620) + - Add symlink for 5 and default (Closes: #928641) + * config: Add the possibility of having a 'default' definition + and use that one instead of the generic one. This change and + above symlinks should avoid any errors to users upgrading + to linux-image or latest version of the kernel in the future + (Closes: #928641) (LP: #1836789) + * default/config: Fix typo in export call (Closes: #928640) (LP: #1830825) + * scripts/check_passwd: Include patch based on the one provided by Christoph + Anton Mitterer that includes the output of 'pwck -r' when the message is + reported. (Closes: #512076) + * scripts/check_group: Include the output of 'grpck -r' when the message + is reported. + * scripts/check_accounts: Do not complain about dormant accounts for + accounts that are system accounts + * debian/control: Improve the explanation of the package and reference + other software for those users that are looking for alternatives. + + -- Javier Fernández-Sanguino Peña Mon, 19 Aug 2019 00:12:13 +0200 + +tiger (1:3.2.4~rc1-1) unstable; urgency=low * debian/postrm: Remove depth in find when purging to avoid warnings (LP: #665453) * debian/source/format: Explicitly define the source format. Set as 1.0 since the package will not use quilt as Savannah upstream is directly packaged into Debian - * Include content from GIT upstream: + * debian/rules: Fix FTCBFS: Let dh_auto_configure pass --host to ./configure. + (Closes: #888041) + * util/convert2html, util/genmsgidx: make the build reproducible with patch + provided by Alexis Bienvenüe (Closes: #828226) + * Include content from GIT upstream (3.2.4rc1 release): - systems/Linux/2/gen_mounts: Added fuse.clamfs and fuse.javafs filesystems (LP: #1204527, #1305057) - systems/Linux/2/check_release: @@ -13,8 +43,21 @@ versions + Add support to check for RHEL and Ubuntu releases. Now Ubuntu is no longer considered a Debian "unstable" version (LP: #248845) + - scripts/check_accounts: Optimise as per suggestion by Arran Schlosberg + - scripts/check_crontabs: Clean up gen_cron file content before it is used + (Closes: #839635) + - systems/Linux/2/check_lilo: Only complain if grub is world readable + when it has a password configured (LP: #248843). + Look for grub in the proper location (as used in Grub 2) + - systems/Linux/2/check_release: Update Debian version, current stable is + 9.3 and list of old Debian versions. Add support to check for RHEL and + Ubuntu releases. Ubuntu is no longer considered a Debian "unstable" + version (LP: #248845) + - systems/Linux/2/deb_checkmd5sums: Optimise by avoiding checking files in + /usr/share/ + - tigerrc: Set +Tiger_Check_TRUSTED to 'N' (Closes: #722629) - -- Javier Fernández-Sanguino Peña Wed, 07 Feb 2018 00:20:35 +0100 + -- Javier Fernández-Sanguino Peña Sat, 10 Feb 2018 22:57:09 +0100 tiger (1:3.2.3-15) unstable; urgency=medium @@ -117,10 +160,10 @@ /usr/bin (Closes: #732936, #735102) - Do not use dpkg-divert if not available * systems/Linux/2/gen_mounts - - Added pstore (Closes: 733832) + - Added pstore (Closes: 733832) (LP: #1204531) - Fix typo: hugetlbf --> hugetlbfs (Closes: 729692) - Add fuse.gvfs-fuse-daemon as a filesystem and consider gvfs - filesystems as non-LOCAL to be in the safe side. + filesystems as non-LOCAL to be in the safe side. (LP: #1204531) - systems/Linux/2/check_single: Do not assume existance of /etc/inittab" [ Debian specific changes ] * debian/control: Bump standards, no changes required @@ -581,7 +624,7 @@ * scripts/check_ftpusers: Skip this check if there is no FTP daemon installed (Closes: #420486) * scripts/check_printcap: Skip this test if CUPS is installed - (Closes: #420487) + (Closes: #420487) (LP: #248852) * system/Linux/2/gen_mounts: Added fusectl to the local filesystems (Closes: #409386) * Debconf translations: --- tiger-3.2.4~rc1.orig/debian/control +++ tiger-3.2.4~rc1/debian/control @@ -13,43 +13,55 @@ Architecture: any Depends: net-tools, binutils, bsdmainutils, debconf | debconf-2.0, ucf, ${shlibs:Depends}, ${misc:Depends} Recommends: sendmail | mail-transport-agent, john, chkrootkit, tripwire | aide -Suggests: lsof -Description: Report system security vulnerabilities - TIGER, or the 'tiger' scripts, is a set of Bourne shell scripts, C programs - and data files which are used to perform a security audit of different - operating systems. The tools can be both run altogether once to generate an - audit report of the system and they can also be run periodically to - provide information on changes to the system's security once a - security baseline has been defined. Consequently, they can be used - also as a host intrusion detection mechanism. - . - The tools rely on specialised external security tools such as John the Ripper, - Chkroot and integrity check tools (like Tripwire, Integrit or Aide) for some - of the tasks. The periodic review mechanism relies on the use of the cron task - scheduler and an email delivery system. +Suggests: lsof, lynis +Description: security auditing and intrusion detection tools for Linux + TIGER, or the 'tiger' scripts, is a set of tools (Bourne shell scripts and C + programs) which are used to perform a security audit of different operating + systems components. The tools can be both run all at once to generate an + audit report of the system and to detect elements that could be fixed + when hardening it. . TIGER has one primary goal: report ways the system's security can be compromised. + . + Most of the tools are independent, but some of them rely on specialised + external security tools such as John the Ripper, Chkroot and integrity check + tools (like Tripwire, Integrit or Aide) to execute some tasks. + . + The same checks are also configured by default to run periodically and + detect deviations or unauthorised changes. This makes it possible to + used them also as a host intrusion detection mechanism. + This review mechanism relies on the use of the cron task scheduler and an + email delivery system to report errors and deviations. . - Debian's TIGER incorporates new checks primarily oriented towards Debian - distribution including: md5sums checks of installed files, location of files - not belonging to packages, and analysis of local listening processes. + This package provides all the security scripts and data files for Linux. + A separate package is available providing the scripts for other operating + systems so they can be run from a centralised repository. + . + The Linux scripts incorporate specific checks targetting the Debian OS + including: md5sums checks of installed files, location of files not belonging + to packages, and analysis of local listening processes. . - This package provides all the security scripts and data files. + Alternatives to TIGER available in Debian include lynis and ossec. If you are + aiming for a small set of checks, try checksecurity, lsat or yasat. Package: tiger-otheros Architecture: any Depends: tiger, ${misc:Depends} -Description: Scripts to run Tiger in other operating systems - TIGER, or the 'tiger' scripts, is a set of Bourne shell scripts, C programs - and data files which are used to perform a security audit of different - operating systems. The tools can be both run altogether once to generate an - audit report of the system and they can also be run periodically to - provide information on changes to the system's security once a - security baseline has been defined. Consequently, they can be used - also as a host intrusion detection mechanism. - . - This package provides all the scripts for operating systems other than Linux - provided for in the Tiger distribution. It is provided in the hope it will be - useful for administrators that wish to run tiger in a distributed environment - sharing these files through the network (e.g. NFS). +Description: security auditing and intrusion detection scripts for Unix based systems + TIGER, or the 'tiger' scripts, is a set of tools (Bourne shell scripts and C + programs) which are used to perform a security audit of different operating + systems components. The tools can be both run all at once to generate an + audit report of the system and to detect elements that could be fixed + when hardening it. They can also be run periodically to compare the operating + system status against a baseline and report deviations. In this way, they can + be used also as a host intrusion detection mechanism. + . + This package provides all the scripts for Unix-based operating systems (other + than Linux) which are provided in the Tiger application upstream. They are + separately packaged in Debian as most users do not need them to run Tiger. + . + On the other hand, they might be useful for administrators that wish to run + Tiger in hosts running different Unix variants in a distributed environment. + Hosts can run the Tiger scripts through the network (e.g. NFS) and generate + locally reports for analysis and intrusion detection. --- tiger-3.2.4~rc1.orig/debian/gbp.conf +++ tiger-3.2.4~rc1/debian/gbp.conf @@ -0,0 +1,12 @@ + +[DEFAULT] +# the default branch for upstream sources: +upstream-branch = master +# the default branch for the debian patch: +debian-branch = debian +# the default tag formats used: +upstream-tag = version_%(version)s +debian-tag = debian/%(version)s +debian-tag-msg = %(pkg)s Debian release %(version)s +# don't check if debian-branch == current branch: +ignore-branch = True --- tiger-3.2.4~rc1.orig/debian/postrm +++ tiger-3.2.4~rc1/debian/postrm @@ -12,8 +12,8 @@ for dir in /var/log/tiger/ /var/lib/tiger/work /var/lib/tiger/ /var/run/tiger/ do [ -d "$dir" ] && { - find "$dir" -type d -o -exec rm -f {} \; - find "$dir" -type d -exec rmdir {} \; + find "$dir" -type f | xargs rm -f + rmdir "$dir" } done # Do we have any tigerXX files under /var/log/? if so we should remove --- tiger-3.2.4~rc1.orig/debian/rules +++ tiger-3.2.4~rc1/debian/rules @@ -19,7 +19,7 @@ build-stamp: dh_testdir autoconf - dh_auto_configure --with-tigerhome=/usr/lib/tiger --with-tigerwork=/var/lib/tiger/work --with-tigerlog=/var/log/tiger --with-tigerbin=/usr/sbin --with-tigerconfig=/etc/tiger --prefix=/usr --mandir=/usr/share/man + dh_auto_configure -- --with-tigerhome=/usr/lib/tiger --with-tigerwork=/var/lib/tiger/work --with-tigerlog=/var/log/tiger --with-tigerbin=/usr/sbin --with-tigerconfig=/etc/tiger --prefix=/usr --mandir=/usr/share/man $(MAKE) all touch build-stamp @@ -60,9 +60,15 @@ # Adjust the permissions of directories that might contain confidential information chmod 0700 debian/tiger/var/lib/tiger/work chmod 0700 debian/tiger/var/log/tiger - # Create symbolic links for Linux versions 3 and 4 - ln -fs 2 debian/tiger/usr/lib/tiger/systems/Linux/3 - ln -fs 3 debian/tiger/usr/lib/tiger/systems/Linux/4 + # Create symbolic links for Linux versions 3, 4, 5, and default + [ -e debian/tiger/usr/lib/tiger/systems/Linux/3 ] || \ + ln -fs 2 debian/tiger/usr/lib/tiger/systems/Linux/3 + [ -e debian/tiger/usr/lib/tiger/systems/Linux/4 ] || \ + ln -fs 2 debian/tiger/usr/lib/tiger/systems/Linux/4 + [ -e debian/tiger/usr/lib/tiger/systems/Linux/5 ] || \ + ln -fs 2 debian/tiger/usr/lib/tiger/systems/Linux/5 + [ -e debian/tiger/usr/lib/tiger/systems/Linux/default ] || \ + ln -fs 2 debian/tiger/usr/lib/tiger/systems/Linux/default # Remove unneeded Makefile files. rm -f debian/tiger/usr/lib/tiger/doc/Makefile rm -f debian/tiger/usr/lib/tiger/doc/Makefile.in --- tiger-3.2.4~rc1.orig/scripts/check_accounts +++ tiger-3.2.4~rc1/scripts/check_accounts @@ -22,6 +22,9 @@ # (home directory accesibility, shell configuration files, dormant accounts # and .hushlogin files) # +# 08/19/2019 jfs Only complain for dormant accounts when the account +# is not a system (uid greater than Tiger_Accounts_Trust) +# as proposed by Richard Laager in Ubuntu Bug 248858 # 04/02/2018 jfs Include suggestion provided by Arran Schlosberg to use # HEAD when checking for dormant accounts. This prevents # wasting CPU when looking into very large home directories @@ -286,7 +289,7 @@ } # Dormant account check. - [ "$home" != / -a -n "$home" -a "$Tiger_Dormant_Limit" != 0 ] && { + [ "$home" != / -a -n "$home" -a "$Tiger_Dormant_Limit" != 0 -a $uid -gt $Tiger_Accounts_Trust ] && { notadmin=`eval "case \"$user\" in $Tiger_Admin_Accounts) ;; *) echo $user;; esac"` [ -n "$notadmin" ] && \ [ `$FIND "$home/" -mtime -$Tiger_Dormant_Limit 2>/dev/null | $HEAD -n 1 | $WC -l` -eq 0 ] && --- tiger-3.2.4~rc1.orig/scripts/check_group +++ tiger-3.2.4~rc1/scripts/check_group @@ -17,6 +17,7 @@ # # check_group - created 06/14/93 # +# check_group - 08/18/2019 - jfs - Added output of GRPCK # check_group - 07/05/2006 - jfs - Fix deprecated syntax with sort. # Thanks to Cyril Chaboisseau and Adam James for providing a patch # (Debian bug: #369501) @@ -76,7 +77,7 @@ echo echo "# Performing check of group files..." -haveallcmds AWK CAT GEN_GROUP_SETS GREP JOIN MV SORT UNIQ RM OUTPUTMETHOD || exit 1 +haveallcmds AWK CAT GEN_GROUP_SETS GREP JOIN MV SORT UNIQ RM OUTPUTMETHOD SED TR || exit 1 haveallfiles BASEDIR WORKDIR || exit 1 safe_temp "$WORKDIR/grp.list.$$" "$WORKDIR/grp2.$$" "$WORKDIR/g1name.$$" "$WORKDIR/g2name.$$" "$WORKDIR/g1gid.$$" "$WORKDIR/g2gid.$$" "$WORKDIR/grp2new.$$" @@ -168,10 +169,11 @@ # Verify the group file format. [ -n "$GRPCK" ] && { - # TODO: Add the results to the report grpckerr=`$GRPCK 2>&1` if [ -n "$grpckerr" ] ; then message WARN grp006w "" "Integrity of group files questionable ($GRPCK)." + output=`echo $grpckerr | $TR "\n" ", " | $SED -e 's/,$/\n/' ` + message WARN grp006w "" "Output of $GRPCK is '$output'" fi } --- tiger-3.2.4~rc1.orig/scripts/check_passwd +++ tiger-3.2.4~rc1/scripts/check_passwd @@ -59,6 +59,8 @@ # (Debian bug #734775, #717218) # 04/02/2018 jfs Added a check of the sudoers files through the use of # visudo (Savannah bug 36488) +# 08/19/2018 npb Make pwck -r output part of report (Debian bug #512076) +# 08/19/2018 jfs Added TR To the list of required commands # #----------------------------------------------------------------------------- # TODO: @@ -105,7 +107,7 @@ # elements are set. # [ "$Tiger_TESTMODE" = 'Y' ] && { - haveallcmds AWK CAT GEN_PASSWD_SETS GREP EGREP JOIN SED SORT UNIQ RM || exit 1 + haveallcmds AWK CAT GEN_PASSWD_SETS GREP EGREP JOIN SED SORT TR UNIQ RM || exit 1 haveallfiles BASEDIR WORKDIR || exit 1 echo "--CONFIG-- [init003c] $0: Configuration ok..." @@ -317,10 +319,11 @@ # Verify the password file format. [ -n "$PWCK" ] && { - # TODO: Add the results to the report pwckerr=`$PWCK 2>&1` if [ -n "$pwckerr" ] ; then message WARN pass006w "" "Integrity of password files questionable ($PWCK)." + output=`echo $pwckerr | $SED -e 's/pwck: no changes//' | $SED -e 's/ user /|user /g' | $TR "|" "\n"` + message WARN pass006w "" "Output of $PWCK is '$output'" fi } --- tiger-3.2.4~rc1.orig/systems/Linux/2/deb_checkmd5sums +++ tiger-3.2.4~rc1/systems/Linux/2/deb_checkmd5sums @@ -155,7 +155,7 @@ do package=`$BASENAME "$md5file" ".md5sums"` file=`echo $file | sed -e "s/:$//"` - echo "DEBUG: Checking file $file of $package ($err)" >&2 +# echo "DEBUG: Checking file $file of $package ($err)" >&2 case $err in DIFF|FAILED) # don't check diverted now --- tiger-3.2.4~rc1.orig/systems/Linux/2/gen_mounts +++ tiger-3.2.4~rc1/systems/Linux/2/gen_mounts @@ -61,10 +61,11 @@ # (Debian bug 615052) # Linux/2/gen_mounts - 28/01/2011 - Added devtmpfs (Debian bug 653416) # Added sshfs and cgroup (Debian bug 655276) -# Linux/2/gen_mounts - 23/01/2014 - Added pstore (Debian bug 733832) +# Linux/2/gen_mounts - 23/01/2014 - Added pstore (Debian bug 733832) (Ubuntu bug 1204531) # - Fix typo: hugetlbf --> hugetlbfs # (Debian bug 729692, Savannah bug 40591) # - Add fuse.gvfs-fuse-daemon (Savannah patch 7914) and change it to non-LOCAL +# (Also Ubuntu bug 1204531) # Linux/2/gen_mounts - 14/10/2014 - Fix typo: hugelbfs --> hugetlbfs (Debian bug 740625) # Linux/2/gen_mounts - 22/11/2015 - Fix typo in sshfs definition (Debian bug 7680867) # - Added aufs (Debian bug 781171) --- tiger-3.2.4~rc1.orig/systems/default/config +++ tiger-3.2.4~rc1/systems/default/config @@ -20,6 +20,8 @@ # default/config - 04/15/2003 - jfs - Fixed typos and added necessary programs # default/config - 09/19/2003 - jfs - Added UUID and USERNAME # default/config - 02/10/2018 - jfs - Added MD5SUM. Export MAILER +# default/config - 08/19/2019 - jfs - Remove duplicate DIFF. +# Fix typo in export call (Debian bug #928640) # #----------------------------------------------------------------------------- # @@ -101,7 +103,6 @@ CUT=`findcmd cut` HEAD=`findcmd head` WC=`findcmd wc` -DIFF=`findcmd diff` EXPAND=`findcmd expand` LSOF=`findcmd lsof` MAILER=`findcmd mail` @@ -124,7 +125,7 @@ export CAT LS LSGROUP LSLINK RM AWK GREP EGREP SGREP SED export SORT COMM TAIL MV TR JOIN GROUPSS FILECMD UNIQ BASENAME export CHMOD CHOWN LN PASTE ID CUT HEAD WC DIFF EXPAND LSOF -expot MAILE MD5SUM +export MAILER MD5SUM # UNAME=`findcmd uname` HOSTNAME=`findcmd hostname` --- tiger-3.2.4~rc1.orig/util/gethostinfo +++ tiger-3.2.4~rc1/util/gethostinfo @@ -23,6 +23,8 @@ # directory structure works for HPUX. # 07/26/2002 jfs Modified so it can work if called directly. Removed # unnecesary exit's +# 02/10/2018 jfs Fix retrieval of architecture fo Linux in AWK call +# and, anyway, make a shortcut call to uname -rms in this case # #----------------------------------------------------------------------------- # TODO: @@ -36,8 +38,6 @@ # here (basicly you just need to parse some /etc/ file which varies # from distribution and determines which release you are using) # -# - Investigate if it's better to use uname -rms, which probably is -# better to parse (and less error-prone) as suggested by Nicolas François #----------------------------------------------------------------------------- # [ -z "$WORKDIR" ] && WORKDIR=./run @@ -77,6 +77,13 @@ # UNAME=`findcmd uname` +# As suggested by Nicolas François, it is much fast / better to use uname -rms in Linux +# as this is less error-pone +if [ -n "$UNAME" ] && [ "`$UNAME -s`" = "Linux" ] ; then + $UNAME -rms + exit +fi + [ -n "$UNAME" ] && { $UNAME -a | $AWK ' @@ -107,7 +114,7 @@ printf("IRIX %s %s\n", $3, $5); } else if($1 == "Linux"){ - printf("Linux %s %s\n",$3, $12); + printf("Linux %s %s\n",$3, $9); } else if($1 == "Darwin"){ printf("MacOSX %s %s\n",$3, $11);