[Tiger-devel] Needed: General overview/direction of the tiger modules (I am confused) :)

[Ryan Bradetich]

Hello all,

I have been reviewing Hewlett-Packard's security requirements;
trying to match these requirements against checks already present
in tiger, but I have gotten myself confused in a couple of areas.


1. What is the "high-level" difference between check_accounts and
        check_passwords?

It looks like I have submitted patches for check_password that
duplicates checks in check_accounts (Sorry!!).  It also looks like these
modules do approximately the same thing, so sharing the data files might
be possible (instead of generating them twice) ... I will have to see if
this is possible after I understand the difference.




2. There seems to be lots of duplicated error messages in the
        check_accounts, check_passwords, and check_passwordformat.

pwck (if available) will catch all the blank lines, incomplete entries,
mismatches between /etc/password and /etc/shadow, etc.  My personal
preference would be to rely upon the output of pwck (if available) and
put all these other checks into the check_passwordformat for systems
that do not have $PWCK defined.  This would remove the redudant error
messages and still make the checks available for systems without pwck.



3. The check_inetd module only checks for /etc/inetd.conf and bombs out
        if /etc/inetd.conf is not present.

I have a fix for this in my local tree, but was looking for advice on
how to handle xinetd?  Should I attempt to modify the gen_inetd to
generate the file in the expected format?  Or should I create a new
check_xinetd module?



4. Hewlett-Packard has specific requirements on several network services
        that are allowed or not allowed to run on their networks.  Most
        of requirements were handled in the check_network script, but it        
is
written in perl, and refused to run on anything except RedHat.

I want to fix this so it is written in posix shell and make it more
configureable for other network services.  Some of these checks have
already been obsoleted by other modules. (i.e. the check_ssh module,
etc).  Others have been moved into other scripts (i.e. r*-commands in
the check_inetd).  

To me, it would be nice to centralize these services and have Tiger
variables that define if the service should be running, disabled, or do
not care.  I am trying to make this as flexible as possible, so
different people can meet different requirements by just changing values
in the tigerrc file.



Sorry if the thoughts in this email sound scattered, but I have several
additional checks I want to add and I can can not work out in my here
where the best place to add them is.  I think a general
overview/direction would help me immensely.


Thanks!

- Ryan