/usr/share/doc/samhain/manual.html/suidchk.html is in samhain 4.1.4-2.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 | <html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>9. Checking the file system for SUID/SGID binaries</title><link rel="stylesheet" type="text/css" href="docbook.css"><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="The Samhain Host Integrity Monitoring System"><link rel="up" href="file-monitor.html" title="Chapter 5. Configuring samhain, the host integrity monitor"><link rel="prev" href="databasefile.html" title="8. The file signature database"><link rel="next" href="kerneldef.html" title="10. Detecting Kernel rootkits"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><!--#if expr="! ($HTTP_USER_AGENT = /MSIE/)"--><!--#include virtual="/resources/ssi/header.html"--><!--#endif--><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">9. Checking the file system for SUID/SGID
binaries</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="databasefile.html">Prev</a> </td><th width="60%" align="center">Chapter 5. Configuring
<span class="application">samhain</span>, the host
integrity monitor</th><td width="20%" align="right"> <a accesskey="n" href="kerneldef.html">Next</a></td></tr></table><hr></div><div class="sect1"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="suidchk"></a>9. Checking the file system for SUID/SGID
binaries</h2></div></div></div><p>To compile with support for this option, use the
configure option</p><p>
<span class="command"><strong>./configure
--enable-suidcheck</strong></span>
</p><p>If enabled, this will cause the samhain daemon to check
the whole file system hierarchy for SUID/SGID files at
user-defined intervals, and to report on any that are not
included in the file database. Upon database initialization,
all SUID/SGID files will automatically be included in the
database. Excluded are nfs, proc, msdos, vfat, and iso9660
(CD-ROM) file systems, as well as file systems mounted with
the 'nosuid' options (the latter is not supported on all
OSes, but at least on Linux).</p><p>On Linux, files that are marked as candidates for
mandatory locking (group-id bit set, group-execute bit
cleared) will be ignored.</p><p>You can manually exclude one directory (see below);
this should be used only for obscure problems (e.g.:
/net/localhost on Solaris - the automounter will mirror the
root directory twice, as '/net/localhost' and
'/net/localhost/net/localhost', and any nfs file system in
'/' will be labelled as ufs system in
'/net/localhost/net/localhost' ...).</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><table border="0" summary="Note: Note"><tr><td rowspan="2" align="center" valign="top" width="25"><img alt="[Note]" src="stylesheet-images/note.png"></td><th align="left">Note</th></tr><tr><td align="left" valign="top"><p>The SUID check is very I/O expensive. Using 'nice'
may not help, if the CPU is waiting for I/O all the time
anyway. To limit the load, the following options are
provided:</p><p>You can
<span class="emphasis"><em>schedule</em></span> execution at fixed times with
<span class="command"><strong>SuidCheckSchedule=
<em class="replaceable"><code>schedule</code></em></strong></span> .</p><p>You can
<span class="emphasis"><em>limit I/O</em></span> with the
<span class="command"><strong>SuidCheckFps=
<em class="replaceable"><code>fps</code></em></strong></span> option (fps: files
per second).</p><p>As an alternative to the
<span class="command"><strong>SuidCheckFps</strong></span> option, you
can use
<span class="command"><strong>SuidCheckYield=
<em class="replaceable"><code>yes</code></em></strong></span> . This will cause
the SuidCheck module to yield its time slice after each
file. If
<span class="command"><strong>SuidCheckYield</strong></span> is used,
the
<span class="command"><strong>SuidCheckFps</strong></span> option will
not take effect.</p><p>The schedule should have the same syntax as a crontab
entry (see crontab(5) and example below), with the
following exceptions: (a) lists are not allowed, and (b)
ranges of names are allowed. If a schedule is given, the
<span class="command"><strong>SuidCheckInterval</strong></span> option
will not take effect. You can specify a list of schedules
with successive SuidCheckSchedule=... directives.</p></td></tr></table></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a name="suidchk-quarantine"></a>9.1. Quarantine SUID/SGID files</h3></div></div></div><p>As of version 1.8.4, it is possible to
<span class="emphasis"><em>quarantine</em></span> new SUID/SGID files detected
by
<span class="application">samhain</span>. To use
this option, you must first enable it with
<span class="command"><strong>SuidCheckQuarantineFiles=
<em class="replaceable"><code>yes</code></em></strong></span> . This tells the
SuidCheck module to quarantine any SUID/SGID files found
after the initialization of the database using the method
selected in
<span class="command"><strong>
SuidCheckQuarantineMethod</strong></span> (see next paragraph). If
this is used, the file will be logged each time it is found
and not added to the memory resident database.</p><p>You must also choose a method to be used to
quarantine a SUID/SGID file:
<span class="command"><strong>SuidCheckQuarantineMethod=
<em class="replaceable"><code>0/1/2</code></em></strong></span> . Currently,
there are 3 methods implemented: 0 - Delete the file from
the system. 1 - Remove the SUID/SGID permissions from the
file. 2 - Move the SUID/SGID file to a quarantine
directory. The quarantine directory is
<code class="filename">
DEFAULT_DATAROOT/.quarantine</code>. Each file moved
there has an additional file created that contains
information about the SUID/SGID file. For example, if a
file
<code class="filename">/foo</code> is an unauthorized
SUID/SGID file, then it will be removed and moved to
<code class="filename">
/var/lib/samhain/.quarantine</code> and another file,
<code class="filename">foo.info</code>, will be
created in
<code class="filename">
/var/lib/samhain/.quarantine</code> with information
about
<code class="filename">/foo</code>.</p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><table border="0" summary="Warning: Important remarks"><tr><td rowspan="2" align="center" valign="top" width="25"><img alt="[Warning]" src="stylesheet-images/warning.png"></td><th align="left">Important remarks</th></tr><tr><td align="left" valign="top"><p>Methods 0 and 2 will by default not remove the
original file, but rather truncate to zero size and
remove suid/sgid properties. If you really want to remove
the original file rather than truncate, you need to set
the option
<span class="command"><strong>SuidCheckQuarantineDelete=
<em class="replaceable"><code>yes</code></em></strong></span> </p><p>The rationale for this behaviour is that removing a
file in an arbitrary directory is considered to be
<span class="emphasis"><em>dangerous</em></span>, because the object that
is unlinked may not be the same object anymore that has
been determined to be a suid/sgid file before. You have
been warned.</p><p>For additional security, samhain will recursively
chdir into the parent directory of the file to make sure
there are no symlinks in the path. Also, a file will not
be truncated if it is a hardlink to another one.</p><p>No quarantining will be done if samhain is run in
'update' mode, since it is assumed that the current
filesystem state is ok, and the database should be
updated to reflect the current state.</p></td></tr></table></div></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a name="suidchk-config"></a>9.2. Configuration</h3></div></div></div><p>This facility is configured in the
<span class="emphasis"><em>SuidCheck</em></span> section of the configuration
file.</p><p>
</p><pre class="programlisting">
[SuidCheck]
# activate (0 for switching off)
SuidCheckActive=1
# interval between checks (in seconds, default 7200)
# SuidCheckInterval=86400
# scheduled check at 01:30 each night
SuidCheckSchedule=30 1 * * *
# this is the severity (see <a class="xref" href="basic-configuration.html#severitydef" title="1.1. Severity levels">Section 1.1</a>)
SeveritySuidCheck=crit
# you may manually exclude one directory
SuidCheckExclude=/net/localhost
#
# limit on files per seconds
SuidCheckFps=250
# alternatively yield time slice after each file
# SuidCheckYield=yes
#
# Quarantine detected SUID/SGID files
# SuidCheckQuarantineFiles=no
#
# Quarantine Method
# 0 - Delete the file from the system.
# 1 - Remove the SUID/SGID permissions from the file.
# 2 - Move the SUID/SGID file to a quarantine directory.
# The quarantine directory is DEFAULT_DATAROOT/.quarantine.
# SuidCheckQuarantineMethod = 1
#
# Really delete if using methods 0 or 2
# SuidCheckQuarantineDelete = no
</pre><p>
</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="databasefile.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="file-monitor.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="kerneldef.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">8. The file signature database </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> 10. Detecting Kernel rootkits</td></tr></table></div><!--#if expr="! ($HTTP_USER_AGENT = /MSIE/)"--><!--#include virtual="/resources/ssi/footer.html"--><!--#endif--></body></html>
|