To compile with support for this option, use the configure option
If enabled, this will cause the samhain daemon to check the whole file system hierarchy for SUID/SGID files at user-defined intervals, and to report on any that are not included in the file database. Upon database initialization, all SUID/SGID files will automatically be included in the database. Excluded are nfs, proc, msdos, vfat, and iso9660 (CD-ROM) file systems, as well as file systems mounted with the 'nosuid' options (the latter is not supported on all OSes, but at least on Linux).
On Linux, files that are marked as candidates for mandatory locking (group-id bit set, group-execute bit cleared) will be ignored.
You can manually exclude one directory (see below); this should be used only for obscure problems (e.g.: /net/localhost on Solaris - the automounter will mirror the root directory twice, as '/net/localhost' and '/net/localhost/net/localhost', and any nfs file system in '/' will be labelled as ufs system in '/net/localhost/net/localhost' ...).
The SUID check is very I/O expensive. Using 'nice' may not help, if the CPU is waiting for I/O all the time anyway. To limit the load, the following options are provided:
schedule execution at fixed times with
limit I/O with the
As an alternative to the
SuidCheckFps option, you
The schedule should have the same syntax as a crontab entry (see crontab(5) and example below), with the following exceptions: (a) lists are not allowed, and (b) ranges of names are allowed. If a schedule is given, the SuidCheckInterval option will not take effect. You can specify a list of schedules with successive SuidCheckSchedule=... directives.
As of version 1.8.4, it is possible to
quarantine new SUID/SGID files detected
samhain. To use
this option, you must first enable it with
yes . This tells the
SuidCheck module to quarantine any SUID/SGID files found
after the initialization of the database using the method
SuidCheckQuarantineMethod (see next paragraph). If
this is used, the file will be logged each time it is found
and not added to the memory resident database.
You must also choose a method to be used to
quarantine a SUID/SGID file:
0/1/2 . Currently,
there are 3 methods implemented: 0 - Delete the file from
the system. 1 - Remove the SUID/SGID permissions from the
file. 2 - Move the SUID/SGID file to a quarantine
directory. The quarantine directory is
DEFAULT_DATAROOT/.quarantine. Each file moved
there has an additional file created that contains
information about the SUID/SGID file. For example, if a
/foo is an unauthorized
SUID/SGID file, then it will be removed and moved to
/var/lib/samhain/.quarantine and another file,
foo.info, will be
/var/lib/samhain/.quarantine with information
Methods 0 and 2 will by default not remove the
original file, but rather truncate to zero size and
remove suid/sgid properties. If you really want to remove
the original file rather than truncate, you need to set
The rationale for this behaviour is that removing a file in an arbitrary directory is considered to be dangerous, because the object that is unlinked may not be the same object anymore that has been determined to be a suid/sgid file before. You have been warned.
For additional security, samhain will recursively chdir into the parent directory of the file to make sure there are no symlinks in the path. Also, a file will not be truncated if it is a hardlink to another one.
No quarantining will be done if samhain is run in 'update' mode, since it is assumed that the current filesystem state is ok, and the database should be updated to reflect the current state.
This facility is configured in the SuidCheck section of the configuration file.
[SuidCheck] # activate (0 for switching off) SuidCheckActive=1 # interval between checks (in seconds, default 7200) # SuidCheckInterval=86400 # scheduled check at 01:30 each night SuidCheckSchedule=30 1 * * * # this is the severity (see Section 1.1) SeveritySuidCheck=crit # you may manually exclude one directory SuidCheckExclude=/net/localhost # # limit on files per seconds SuidCheckFps=250 # alternatively yield time slice after each file # SuidCheckYield=yes # # Quarantine detected SUID/SGID files # SuidCheckQuarantineFiles=no # # Quarantine Method # 0 - Delete the file from the system. # 1 - Remove the SUID/SGID permissions from the file. # 2 - Move the SUID/SGID file to a quarantine directory. # The quarantine directory is DEFAULT_DATAROOT/.quarantine. # SuidCheckQuarantineMethod = 1 # # Really delete if using methods 0 or 2 # SuidCheckQuarantineDelete = no