tiger 1:3.2.3-12 / usr / lib / tiger / doc / linux.txt

%lin001w
A program installed in your system has probably been not installed
by a package of your Linux packaging system. If this binary has
been installed by the administrator note that /usr/local/ is the
place for this files.
%lin002i
Installed processes listening on Internet interfaces must be
tightly controlled since they are the "open doors" to the 
outside.
%lin003w
Processes that have not been run by a valid user are listening on interfaces
open to external networks. This processes might have been run by a valid user
and changed uids or might be rogue processes.

The list of valid users is defined in Tiger's configuration file (tigerrc)
variable 'Tiger_Listening_ValidUsers'. An incorrect definition there might
also lead to invalid reports and false positives.

To fix this issue, review the value of the configuration variable and
the user the process is associated to. Confirm if the process is
running and is necessary. 

If the process is run by a system user, in order to prevent this process from
working, it is often necessary necessary to reconfigure the system to prevent
it from starting when the system boots. If this process is run by
a normal user you might need to review the processes started by login
scripts, desktop confiuration or periodic program execution.

Notice that sometimes services open sporadic UDP listeners to 
receive DNS requests, if you receive reports on open UDP services
that later on are closed this might be a false positive.

You can fix these false positives by adjusting the tiger.ignore configuration
file.
%lin004i
Netstat can be used instead of lsof in order to provide information
on listening processes, however it will provide less info since it
cannot determine the process (or PID) associated with the open socket
or the user that runs it.
%lin005f
In Debian systems, checksums are stored in /var/lib/dpkg/info/
if the md5sum of a file differs from the checksum of installed packages
it might be due to changes made by the system administrator (for
example, files in /etc) by everyday use of by a possible intruder
(who might have placed a trojan instead of the checked file)
Be forewarned, an attacker might have modified this info files
(they are not protected against this)
%lin006w
A file installed by a package no longer exists in the system and
cannot be checked for. An administrator should not remove files from
the system, they should be removed uninstalling the packages that
provided them. This is an unusual behavior.
%lin007w
In the default configuration of many GNU/Linux distributions users can
reboot the machine pressing Ctrl+Alt+Delete while in console mode. This can
be considered a security risk if an attacker can easily taken down the
server from console.
You can restrict this feature through the use of the /etc/shutdown.allow
file. In that file is defined, only if a user listed in the file (or
root) are logged in will the system shutdown be initiated.
%lin008e
The /proc pseudo-filesystem is needed to check the network configuration
settings in the kernel and determine insecure setups. /proc is available
when the kernel is compiled with the CONFIG_PROC_FS=Y option (if you want
to modify them you also need to add the CONFIG_SYSCTL=Y option). You also
need to have it mounted, if it's not try: 'mount -t proc proc /proc'.
This is usually done in most distributions per default.
%lin009i
The kernel will answer (per configuration) to ICMP echo requests in any
interface. You might want to configure it to not answer to this requests
and thus make it more "invisible". Do it with:
 # sysctl -w net.ipv4.icmp_echo_ignore_all=1 
Note, however, that this violates RFCs.
%lin010f
The system will answer to ICMP broadcast echo messages. This is considered
a problem since ICMP broadcasts can cause network denial of service as
the same time as giving away the location of the hosts. To remove this do:
 # sysctl -w net.ipv4.icmp_echo_ignore_broadcasts = 1
%lin011f
The system is configured to answer to bad formatted ICMP messages. This
behavior is not recommended, please unconfigure it with:
 # sysctl -w net.ipv4.icmp_ignore_bogus_error_responses = 1
%lin012w
The system is configured to accept ICMP redirects, this might or might
not be necessary in your network topology. If you have multiple routers
to which connect through to outside locations it might be necessary,
otherwise remove it since an attacker could send bogus ICMP redirection
messages to try to route the outgoing network packets to other systems
(including his own) and thus allowing for man in the middle or
denial of service attacks:
 # sysctl -w net.ipv4.conf.all.accept_redirects = 0
and:
 # sysctl -w net.ipv4.conf.default.accept_redirects = 0
%lin013f
It is common to protect systems against Denial of Service attacks using
SYN packets (commonly known as "SYN flooding") by activating support
of TCP syncookies. Note, however, that activating this violates some RFCs:
  # sysctl -w net.ipv4.tcp_syncookies = 1
%lin014f
It is possible to send IP spoofed packets from this machine. Spoofed
packets are commonly used by trojans that make use of compromised hosts
to deliver denial of service, man in the middle or connection hijacking.
You should consider configuring your kernel to not permit this:
  # sysctl -w net.ipv4.conf.all.rp_filter = 2
and:
  # sysctl -w net.ipv4.conf.default.rp_filter = 2
%lin015w
IP forwarding is the option that permits the system to act as a router
and thus resend packets from one network interface to another. If your
system is not acting as such this option should be disabled:
 # sysctl -w net.ipv4.ip_forward = 0
%lin016f
Source routing might permit an attacker to send packets through your
host (if routing is enabled) to other hosts without following your 
network topology setup. It should be enabled only under very special
circumstances or otherwise an attacker could try to bypass the traffic
filtering that is done on the network:
  # sysctl -w net.ipv4.conf.all.accept_source_route = 0
and:
  # sysctl -w net.ipv4.conf.default.accept_source_route = 0
%lin017w
Suspicious packets received by the kernel should be logged to detect
incoming attacks. To activate this logging capability:
  # sysctl -w net.ipv4.conf.all.log_martians = 1
and:
  # sysctl -w net.ipv4.conf.default.log_martians = 1
%lin018w
The "weak end host" description in the RFC1122 permits multihomed systems
to receive packets for a network interface from another network interface.
This, as a matter of fact, removes the benefit of configuring services
and binding them to a single IP address (not to all IP addresses). 
For 2.2 kernels remove this option with:
  # echo 1 > /proc/sys/net/ipv4/conf/eth1/hidden
For 2.4 and later kernels you might need to patch the kernel or configure
your firewalling rules properly (i.e. defining anti-spoofing rules).
%lin019f
The system has no firewalling rules in place to limit access to network
services and protocols. Considering configuring a set of local firewall
rules adapted to your needs. There are multiple firewall generation software 
you can use to generate these (such as Bastille, Shorewall, Firestarter,
or Knetfiler).
Local firewall rules can be used to block undesired incoming and outgoing
traffic and can be useful to prevent access to network services that are
listening on all system interfaces, only want to be used from specific
hosts (or interfaces) and lack capabilities to either restrict its
use to specific local network IP addresses or hosts. 
If the system is multi-home a local firewall configuration will prevent
spoofing attacks due to "weak end host" issues.