[plug] Tiger: security checker -- opinions?

[Denis Brown]

Hello,

The AusCERT Unix Security Checklist 
(www.auscert.org.au/Information/Auscert_info/papers/usc20.html) refers to a 
Purdue University security product called Tiger.  In its original form it 
was designed to address the SunOS flavour of Unix but it now offers wider 
support including Linux (RedHat by default.)

I have it running on a Debian (potato) box and will work my way through the 
couple of runtime errors it's tossing up at present.  Essentially it's a 
bunch of shell scripts which automate various checks on system file 
permissions and ownership, shell status for accounts, password strength, 
etc depending on configuration settings.  I'm looking at it both as an 
eventually useful product and as a good learning exercise for Linux 
security, scripting and so forth.

Clearly I need to resolve the runtime errors and at the same time become 
familiar with what it's checking and the security implications of same -- 
otherwise I could wind up with a false sense of security :-)  Anybody 
using/used Tiger?  If so what +'s, -'s in comparison with other security 
checkers of similar ilk?

Cheers,
Denis