Working on Tiger
After a week on vacation I've managed to squash quite a number of bugs on Tiger, put up a webpage (www.tigersecurity.org) and send a new release candidate (for version 3.2).
And then after more testing I send two more release candidates, so it's slowly moving towards the definite release which will be, I hope, more bug free. Once done I might need to focus on documentation (as requested in the mailing list) and on merging parts of the TARA codebase (they have developed more checks and also fixed bugs in their latest 3.0.3 release). I would like to write new checks (better integration with tripwire, crack, integrit, and other tools) but I will have to try to refrain from adding new features until I have fixed Tiger for good.
Once that it's done I believe Tiger could be a powerful tool that other free software Linux/*BSD distributions could include. Currently there a miriad of security tools to do local security checks: Mandrake's msec, OpenBSD's /etc/security, SUSE's Seccheck. Steve Kemp, after a proposal I made at the debian-devel mailing list, reviewed some of these tools. I'm not sure if Tiger could replace of all of these scripts providing a common framework.
In any case I've been looking deeper into OVAL and provided a Debian schema in the mailing list (for some reason the archives seem to show only mails from a few people ????). A free OVAL query interpreter for UNIX would be very nice. However I'll have to hack it myself since there seems to be few active people at OVAL besides the Microsoft people. And the only available interpreter is Windows-only and provided with a non-free license (even if the FAQ says free to use), ouch!