This file is indexed.

/usr/share/doc/samhain/manual.html/suidchk.html is in samhain 4.1.4-2.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below.

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>9. Checking the file system for SUID/SGID binaries</title><link rel="stylesheet" type="text/css" href="docbook.css"><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="The Samhain Host Integrity Monitoring System"><link rel="up" href="file-monitor.html" title="Chapter 5. Configuring samhain, the host integrity monitor"><link rel="prev" href="databasefile.html" title="8. The file signature database"><link rel="next" href="kerneldef.html" title="10. Detecting Kernel rootkits"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><!--#if expr="! ($HTTP_USER_AGENT = /MSIE/)"--><!--#include virtual="/resources/ssi/header.html"--><!--#endif--><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">9. Checking the file system for SUID/SGID
      binaries</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="databasefile.html">Prev</a> </td><th width="60%" align="center">Chapter 5. Configuring 
    <span class="application">samhain</span>, the host
    integrity monitor</th><td width="20%" align="right"> <a accesskey="n" href="kerneldef.html">Next</a></td></tr></table><hr></div><div class="sect1"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="suidchk"></a>9. Checking the file system for SUID/SGID
      binaries</h2></div></div></div><p>To compile with support for this option, use the
      configure option</p><p>
        <span class="command"><strong>./configure
        --enable-suidcheck</strong></span> 
      </p><p>If enabled, this will cause the samhain daemon to check
      the whole file system hierarchy for SUID/SGID files at
      user-defined intervals, and to report on any that are not
      included in the file database. Upon database initialization,
      all SUID/SGID files will automatically be included in the
      database. Excluded are nfs, proc, msdos, vfat, and iso9660
      (CD-ROM) file systems, as well as file systems mounted with
      the 'nosuid' options (the latter is not supported on all
      OSes, but at least on Linux).</p><p>On Linux, files that are marked as candidates for
      mandatory locking (group-id bit set, group-execute bit
      cleared) will be ignored.</p><p>You can manually exclude one directory (see below);
      this should be used only for obscure problems (e.g.:
      /net/localhost on Solaris - the automounter will mirror the
      root directory twice, as '/net/localhost' and
      '/net/localhost/net/localhost', and any nfs file system in
      '/' will be labelled as ufs system in
      '/net/localhost/net/localhost' ...).</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><table border="0" summary="Note: Note"><tr><td rowspan="2" align="center" valign="top" width="25"><img alt="[Note]" src="stylesheet-images/note.png"></td><th align="left">Note</th></tr><tr><td align="left" valign="top"><p>The SUID check is very I/O expensive. Using 'nice'
        may not help, if the CPU is waiting for I/O all the time
        anyway. To limit the load, the following options are
        provided:</p><p>You can 
        <span class="emphasis"><em>schedule</em></span> execution at fixed times with 
        <span class="command"><strong>SuidCheckSchedule=
        <em class="replaceable"><code>schedule</code></em></strong></span> .</p><p>You can 
        <span class="emphasis"><em>limit I/O</em></span> with the 
        <span class="command"><strong>SuidCheckFps=
        <em class="replaceable"><code>fps</code></em></strong></span> option (fps: files
        per second).</p><p>As an alternative to the 
        <span class="command"><strong>SuidCheckFps</strong></span> option, you
        can use 
        <span class="command"><strong>SuidCheckYield=
        <em class="replaceable"><code>yes</code></em></strong></span> . This will cause
        the SuidCheck module to yield its time slice after each
        file. If 
        <span class="command"><strong>SuidCheckYield</strong></span> is used,
        the 
        <span class="command"><strong>SuidCheckFps</strong></span> option will
        not take effect.</p><p>The schedule should have the same syntax as a crontab
        entry (see crontab(5) and example below), with the
        following exceptions: (a) lists are not allowed, and (b)
        ranges of names are allowed. If a schedule is given, the 
        <span class="command"><strong>SuidCheckInterval</strong></span> option
        will not take effect. You can specify a list of schedules
        with successive SuidCheckSchedule=... directives.</p></td></tr></table></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a name="suidchk-quarantine"></a>9.1. Quarantine SUID/SGID files</h3></div></div></div><p>As of version 1.8.4, it is possible to 
        <span class="emphasis"><em>quarantine</em></span> new SUID/SGID files detected
        by 
        <span class="application">samhain</span>. To use
        this option, you must first enable it with 
        <span class="command"><strong>SuidCheckQuarantineFiles=
        <em class="replaceable"><code>yes</code></em></strong></span> . This tells the
        SuidCheck module to quarantine any SUID/SGID files found
        after the initialization of the database using the method
        selected in 
        <span class="command"><strong>
        SuidCheckQuarantineMethod</strong></span> (see next paragraph). If
        this is used, the file will be logged each time it is found
        and not added to the memory resident database.</p><p>You must also choose a method to be used to
        quarantine a SUID/SGID file: 
        <span class="command"><strong>SuidCheckQuarantineMethod=
        <em class="replaceable"><code>0/1/2</code></em></strong></span> . Currently,
        there are 3 methods implemented: 0 - Delete the file from
        the system. 1 - Remove the SUID/SGID permissions from the
        file. 2 - Move the SUID/SGID file to a quarantine
        directory. The quarantine directory is 
        <code class="filename">
        DEFAULT_DATAROOT/.quarantine</code>. Each file moved
        there has an additional file created that contains
        information about the SUID/SGID file. For example, if a
        file 
        <code class="filename">/foo</code> is an unauthorized
        SUID/SGID file, then it will be removed and moved to 
        <code class="filename">
        /var/lib/samhain/.quarantine</code> and another file, 
        <code class="filename">foo.info</code>, will be
        created in 
        <code class="filename">
        /var/lib/samhain/.quarantine</code> with information
        about 
        <code class="filename">/foo</code>.</p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><table border="0" summary="Warning: Important remarks"><tr><td rowspan="2" align="center" valign="top" width="25"><img alt="[Warning]" src="stylesheet-images/warning.png"></td><th align="left">Important remarks</th></tr><tr><td align="left" valign="top"><p>Methods 0 and 2 will by default not remove the
          original file, but rather truncate to zero size and
          remove suid/sgid properties. If you really want to remove
          the original file rather than truncate, you need to set
          the option 
          <span class="command"><strong>SuidCheckQuarantineDelete=
          <em class="replaceable"><code>yes</code></em></strong></span> </p><p>The rationale for this behaviour is that removing a
          file in an arbitrary directory is considered to be 
          <span class="emphasis"><em>dangerous</em></span>, because the object that
          is unlinked may not be the same object anymore that has
          been determined to be a suid/sgid file before. You have
          been warned.</p><p>For additional security, samhain will recursively
          chdir into the parent directory of the file to make sure
          there are no symlinks in the path. Also, a file will not
          be truncated if it is a hardlink to another one.</p><p>No quarantining will be done if samhain is run in
          'update' mode, since it is assumed that the current
          filesystem state is ok, and the database should be
          updated to reflect the current state.</p></td></tr></table></div></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a name="suidchk-config"></a>9.2. Configuration</h3></div></div></div><p>This facility is configured in the 
        <span class="emphasis"><em>SuidCheck</em></span> section of the configuration
        file.</p><p>
          </p><pre class="programlisting">
	    [SuidCheck]  
	    # activate (0 for switching off) 
	    SuidCheckActive=1 
	    # interval between checks (in seconds, default 7200)
	    # SuidCheckInterval=86400 
	    # scheduled check at 01:30 each night
	    SuidCheckSchedule=30 1 * * * 
	    # this is the severity (see <a class="xref" href="basic-configuration.html#severitydef" title="1.1. Severity levels">Section 1.1</a>) 
	    SeveritySuidCheck=crit 
	    # you may manually exclude one directory 
	    SuidCheckExclude=/net/localhost
	    #
	    # limit on files per seconds
	    SuidCheckFps=250 
	    # alternatively yield time slice after each file
	    # SuidCheckYield=yes
	    #
	    # Quarantine detected SUID/SGID files
	    # SuidCheckQuarantineFiles=no
	    #
	    # Quarantine Method
	    # 0 - Delete the file from the system.
	    # 1 - Remove the SUID/SGID permissions from the file.
	    # 2 - Move the SUID/SGID file to a quarantine directory.  
	    #     The quarantine directory is DEFAULT_DATAROOT/.quarantine.
	    # SuidCheckQuarantineMethod = 1
	    #
	    # Really delete if using methods 0 or 2
	    # SuidCheckQuarantineDelete = no
          </pre><p>
        </p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="databasefile.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="file-monitor.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="kerneldef.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">8. The file signature database </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> 10. Detecting Kernel rootkits</td></tr></table></div><!--#if expr="! ($HTTP_USER_AGENT = /MSIE/)"--><!--#include virtual="/resources/ssi/footer.html"--><!--#endif--></body></html>