samhain: disable SuidCheck for /srv/buildd/unpack on buildds

The SuidCheck module was not available in jessie (despite our
configuration file mentioning it), and is now enabled by default in
stretch.

For the build daemons, we need to disable suid checks in
/srv/buildd/unpack.

For the porterboxes, we need to disable suid checks in
/srv/chroot/schroot-unpack.

Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>

diff --git a/modules/samhain/templates/samhainrc.erb b/modules/samhain/templates/samhainrc.erb
index 6f46ae5..b737307 100644 (file)
--- a/modules/samhain/templates/samhainrc.erb
+++ b/modules/samhain/templates/samhainrc.erb
@@ -665,7 +665,7 @@ SyslogSeverity=alert
 #
 #####################################################
 
-# [SuidCheck]
+[SuidCheck]
 ##
 ## --- Check the filesystem for SUID/SGID binaries
 ## 
@@ -684,7 +684,13 @@ SyslogSeverity=alert
  
 ## Directory to exclude 
 #
+<% if scope.lookupvar('site::nodeinfo')['buildd'] -%>
+SuidCheckExclude = /srv/buildd/unpack
+<% elsif scope.lookupvar('site::nodeinfo')['porterbox'] -%>
+SuidCheckExclude = /srv/chroot/schroot-unpack
+<% else -%>
 # SuidCheckExclude = NULL
+<% end -%>
 
 ## Limit on files per second (0 == no limit)
 #