9. Checking the file system for SUID/SGID binaries

9. Checking the file system for SUID/SGID binaries
Prev	Chapter 5. Configuring samhain, the host integrity monitor	Next

To compile with support for this option, use the configure option

./configure --enable-suidcheck

If enabled, this will cause the samhain daemon to check the whole file system hierarchy for SUID/SGID files at user-defined intervals, and to report on any that are not included in the file database. Upon database initialization, all SUID/SGID files will automatically be included in the database. Excluded are nfs, proc, msdos, vfat, and iso9660 (CD-ROM) file systems, as well as file systems mounted with the 'nosuid' options (the latter is not supported on all OSes, but at least on Linux).

On Linux, files that are marked as candidates for mandatory locking (group-id bit set, group-execute bit cleared) will be ignored.

You can manually exclude one directory (see below); this should be used only for obscure problems (e.g.: /net/localhost on Solaris - the automounter will mirror the root directory twice, as '/net/localhost' and '/net/localhost/net/localhost', and any nfs file system in '/' will be labelled as ufs system in '/net/localhost/net/localhost' ...).

Note

	Note
The SUID check is very I/O expensive. Using 'nice' may not help, if the CPU is waiting for I/O all the time anyway. To limit the load, the following options are provided: You can schedule execution at fixed times with SuidCheckSchedule= `schedule` . You can limit I/O with the SuidCheckFps= `fps` option (fps: files per second). As an alternative to the SuidCheckFps option, you can use SuidCheckYield= `yes` . This will cause the SuidCheck module to yield its time slice after each file. If SuidCheckYield is used, the SuidCheckFps option will not take effect. The schedule should have the same syntax as a crontab entry (see crontab(5) and example below), with the following exceptions: (a) lists are not allowed, and (b) ranges of names are allowed. If a schedule is given, the SuidCheckInterval option will not take effect. You can specify a list of schedules with successive SuidCheckSchedule=... directives.

The SUID check is very I/O expensive. Using 'nice' may not help, if the CPU is waiting for I/O all the time anyway. To limit the load, the following options are provided:

You can schedule execution at fixed times with SuidCheckSchedule= schedule .

You can limit I/O with the SuidCheckFps= fps option (fps: files per second).

As an alternative to the SuidCheckFps option, you can use SuidCheckYield= yes . This will cause the SuidCheck module to yield its time slice after each file. If SuidCheckYield is used, the SuidCheckFps option will not take effect.

The schedule should have the same syntax as a crontab entry (see crontab(5) and example below), with the following exceptions: (a) lists are not allowed, and (b) ranges of names are allowed. If a schedule is given, the SuidCheckInterval option will not take effect. You can specify a list of schedules with successive SuidCheckSchedule=... directives.

9.1. Quarantine SUID/SGID files

As of version 1.8.4, it is possible to quarantine new SUID/SGID files detected by samhain. To use this option, you must first enable it with SuidCheckQuarantineFiles= yes . This tells the SuidCheck module to quarantine any SUID/SGID files found after the initialization of the database using the method selected in SuidCheckQuarantineMethod (see next paragraph). If this is used, the file will be logged each time it is found and not added to the memory resident database.

You must also choose a method to be used to quarantine a SUID/SGID file: SuidCheckQuarantineMethod= 0/1/2 . Currently, there are 3 methods implemented: 0 - Delete the file from the system. 1 - Remove the SUID/SGID permissions from the file. 2 - Move the SUID/SGID file to a quarantine directory. The quarantine directory is DEFAULT_DATAROOT/.quarantine. Each file moved there has an additional file created that contains information about the SUID/SGID file. For example, if a file /foo is an unauthorized SUID/SGID file, then it will be removed and moved to /var/lib/samhain/.quarantine and another file, foo.info, will be created in /var/lib/samhain/.quarantine with information about /foo.

Important remarks

	Important remarks
Methods 0 and 2 will by default not remove the original file, but rather truncate to zero size and remove suid/sgid properties. If you really want to remove the original file rather than truncate, you need to set the option SuidCheckQuarantineDelete= `yes` The rationale for this behaviour is that removing a file in an arbitrary directory is considered to be dangerous, because the object that is unlinked may not be the same object anymore that has been determined to be a suid/sgid file before. You have been warned. For additional security, samhain will recursively chdir into the parent directory of the file to make sure there are no symlinks in the path. Also, a file will not be truncated if it is a hardlink to another one. No quarantining will be done if samhain is run in 'update' mode, since it is assumed that the current filesystem state is ok, and the database should be updated to reflect the current state.

Methods 0 and 2 will by default not remove the original file, but rather truncate to zero size and remove suid/sgid properties. If you really want to remove the original file rather than truncate, you need to set the option SuidCheckQuarantineDelete= yes

The rationale for this behaviour is that removing a file in an arbitrary directory is considered to be dangerous, because the object that is unlinked may not be the same object anymore that has been determined to be a suid/sgid file before. You have been warned.

For additional security, samhain will recursively chdir into the parent directory of the file to make sure there are no symlinks in the path. Also, a file will not be truncated if it is a hardlink to another one.

No quarantining will be done if samhain is run in 'update' mode, since it is assumed that the current filesystem state is ok, and the database should be updated to reflect the current state.

9.2. Configuration

This facility is configured in the SuidCheck section of the configuration file.

	    [SuidCheck]  
	    # activate (0 for switching off) 
	    SuidCheckActive=1 
	    # interval between checks (in seconds, default 7200)
	    # SuidCheckInterval=86400 
	    # scheduled check at 01:30 each night
	    SuidCheckSchedule=30 1 * * * 
	    # this is the severity (see Section 1.1) 
	    SeveritySuidCheck=crit 
	    # you may manually exclude one directory 
	    SuidCheckExclude=/net/localhost
	    #
	    # limit on files per seconds
	    SuidCheckFps=250 
	    # alternatively yield time slice after each file
	    # SuidCheckYield=yes
	    #
	    # Quarantine detected SUID/SGID files
	    # SuidCheckQuarantineFiles=no
	    #
	    # Quarantine Method
	    # 0 - Delete the file from the system.
	    # 1 - Remove the SUID/SGID permissions from the file.
	    # 2 - Move the SUID/SGID file to a quarantine directory.  
	    #     The quarantine directory is DEFAULT_DATAROOT/.quarantine.
	    # SuidCheckQuarantineMethod = 1
	    #
	    # Really delete if using methods 0 or 2
	    # SuidCheckQuarantineDelete = no

Prev	Up	Next
8. The file signature database	Home	10. Detecting Kernel rootkits