Interpreting output of tiger scripts (WAS:Re: Is my system compromised)

[Marc Shapiro <mshapiro_42@yahoo.com>]

> According to Todd Weaver,
>
> > You can try tiger...
> >    sudo apt-get update
> >    sudo apt-get install tiger
> >    sudo tiger

I have no reason to believe that my box is compromised, but I thought 
that I would try out tiger to close off what I could.  Now I need 
someone to point me to someplace that can help me interpret the log file.

I got an awful lot of lines about unowned files and files with invalid 
groups.  Those were easy to deal with.  They were all files that on 
installation kept the user and group of the maintainer.  I have chowned 
them all to root:root.  That cut the size of the logfile down from 111K 
to 16K.

Now, I have several lines like these:

# Checking entries from /etc/passwd.
--WARN-- [pass014w] Login (backup) is disabled, but has a valid shell.
--WARN-- [pass014w] Login (epos) is disabled, but has a valid shell.
--WARN-- [pass014w] Login (fetchmail) is disabled, but has a valid shell.

and these:

# Checking accounts from /etc/passwd.
--WARN-- [acc021w] Login ID epos appears to be a dormant account.
--WARN-- [acc021w] Login ID fetchmail appears to be a dormant account.
--WARN-- [acc006w] Login ID mail's home directory (/var/mail) has group 
`mail'
         and world write access.
--WARN-- [acc022w] Login ID nobody home directory (/nonexistent) is not
         accessible.



I also wonder about these:

# Performing check of `cron' entries...
--WARN-- CRON file `/var/spool/cron/crontabs/mns' is owned by mns.
--WARN-- [cron004w] Root crontab does not exist
--WARN-- [cron005w] Use of cron is not restricted

# Performing check of 'inetd'...
# Checking inetd entries from /etc/inetd.conf
--WARN-- [inet099w] 'printer' is not protected by tcp wrappers.
--WARN-- [inet009] inetd entry for printer service uses
         `/usr/lib/cups/daemon/cups-lpd' which contains `/usr' which is 
group
         `root' writable.

--WARN-- [inet009] inetd entry for printer service uses
         `/usr/lib/cups/daemon/cups-lpd' which contains `/usr/lib' 
which is
         group `root' writable.

--WARN-- [inet099w] 'smtp' is not protected by tcp wrappers.
--WARN-- [inet009] inetd entry for smtp service uses `/usr/sbin/exim' which
         contains `/usr' which is group `root' writable.

--WARN-- [inet009] inetd entry for vboxd service uses `/usr/sbin/tcpd' 
which
         contains `/usr' which is group `root' writable.


# Performing check of 'services' ...
# Checking services from /etc/services.
--WARN-- [inet003w] The port for service postgres is also assigned to 
service
         postgresql.
--WARN-- [inet003w] The port for service postgres is also assigned to 
service
         postgresql.
--WARN-- [inet003w] The port for service sane is also assigned to service
         sane-port.



Most of the remaining warnings, however, are many, many lines like these:

# Performing signature check of system binaries...
--WARN-- [sig004w] None of the following versions of /bin/bash (-rwxr-xr-x)
         matched the /bin/bash on this machine.
         >>>>>> Linux 2.4.17

--WARN-- [sig004w] None of the following versions of /bin/login 
(-rwsr-xr-x)
         matched the /bin/login on this machine.
         >>>>>> Linux 2.4.17

--WARN-- [sig004w] None of the following versions of /bin/ls (-rwxr-xr-x)
         matched the /bin/ls on this machine.
         >>>>>> Linux 2.4.17

Since I am running kernel 2.6.8 (the most recent available in Sarge) I 
am curious as to why it is trying to match the files to 2.4.17.

If anyone can point me in the right direction, I would appreciate it.

--
Marc Shapiro