Tiger logo

The Unix security audit and intrusion detection tool

Introduction| | Download| License/SourceCode| Contact| History

Important Note: Due to a recent compromise of the Savannah project servers it is recommended that source code or binaries downloaded from there are checked carefully, specially if not signed with the Tiger's developer's key. Note that even though there has been a security incident at Debian too, all the source code there and the packages mirror has been reviewed already (as detailed in the report after the compromise).


Tiger is a security tool that can be use both as a security audit and intrusion detection system. It supports multiple UNIX platforms and it is free and provided under a GPL license. Unlike other tools, Tiger needs only of POSIX tools and is written entirely in shell language.

Tiger has some interesting features that merit its resurrection, including a modular design that is easy to expand, and its double edge, it can be used as an audit tool and a host intrusion detection system tool. Free Software intrusion detection is currently going many ways, from network IDS (with Snort), to the kernel (LIDS, or SNARE for Linux and Systrace for OpenBSD, for example), not mentioning file integrity checkers (many of these: aide, integrit samhain, tripwire...) and logcheckers (even more of these, check the Log Analysis pages). But few of them focus on the host-side of intrusion detection fully. Tiger complements this tools and also provides a framework in which all of them can work together. Tiger it is not a logchecker, nor it focused in integrity analysis. It does "the other stuff", it checks the system configuration and status. Read the manpage for a full description of checks implemented in Tiger. A good example of what Tiger can do is, for example, check_findelete, a module that can determine which network servers running in a system using deleted files (because libraries were patched during an upgrade but the server's services not restarted).

Free software Linux/*BSD distributions have a myriad of security tools to do local security checks: Debian's checksecurity, Mandrake's msec, OpenBSD's /etc/security, SUSE's Seccheck... but, even if they do similar checks they have suffered from fragmentation. Tiger is being developed in the hopes that it could substitute them at some point in the future. For a list of system security checks that Tiger provides that others do not you can read this (short) comparison.

Find more information in the project page at Savannah.


Tiger provides a number of README files describing its usage and it has been features in a number of papers and conferences. The following documentation is available:

Also useful, is the annotated CERT checklist which describes which items of Auscert's UNIX Security Checklist are covered by the Tiger tool.


You can freely download Tiger from the Debian archive current stable release is 3.2.1, the previous (old) stable release is 3.2. Notice that many mirrors of security tools have not catched up with this latest release and keep older versions (2.2.4p1).

If you are using a Linux distribution you are encouraged to use the latest stable release since it is much more up-to-date and will work better than TAMU's 2.2 release in newer Linux distributions. Packages for the Debian GNU/Linux distribution are also available directly from Debian (Note: packages.debian.org is done at the moment please follow the link above to the archive).

Note: The download page at Savannah is currently down due to a recent compromise.


Tiger is distributed under GNU's GPL license and is free software. The fact that TAMU originally distributed under this license has allowed development of the tool even after the group was not able to continue developing it.

Tiger is distributed as a source-code only distribution, you might need to compile certain programs (under bin/) for your specific operating system. In any case, if you want to see how the program has evolved please check the CVS repository. Some operating systems, like Debian, might provide binary packages, users of those operating systems are encouraged to use them.


If you want to contact Tiger developers or users please use the open mailing lists. If you want to report bugs in Tiger or ask for enhancements that you feel are important please use our Bug Tracking System or open support requests in our Support Manager.


Tiger was originally developed by the CIS Network group of the A&M campus of the Texas University, it was written at the same time that COPS, SATAN and Internet Scanner were. Eventually, after the 2.2.4 version, which was released in 1994, development of Tiger stalled. (original pages still available at http://www.net.tamu.edu/network/tools/tiger.html)

Three different forks evolved after Tiger: TARA (developed by Advanced Research Computing, available at http://www-arc.com/tara), one internally developed by the HP corporation by Bryan Gartner and the last one developed for the Debian GNU/Linux distribution by Javier Fernández-Sanguino (current upstream maintainer).

These forks were merged on may 2002 and in june 2002 the new source code, now labeled as the 3.0 release, was published at the Savannah site. The 3.1 release was distributed in october 2002, it was considered an unstable release and included some new checks, a new autoconf script for automatic configuration, but mostly included fixes for bugs found after testing Tiger in Debian GNU/Linux and in other operating systems. Over 2200 lines of code and documentation were included in this release.

The release 3.2, was published in may 2003 and greatly improves the stability of the tool and also fixes some security founds found in it (including a buffer overflow in realpath).

The current stable release, 3.2.1, was published in october 2003 and includes a number of bug fixes, enhancements and new checks including: check_ndd (for HPUX and SunOS systems), check_passwspec (for Linux and HPUX) check_trusted (for HPUX), check_rootkit (which can interact with the chkrootkit tool), check_xinetd, and, finally, aide_run and integrit_run which provide new checks for integrity file checkers.

A full list of the changes is available in the CHANGES file in the sources.

Valid HTML 3.2!