From: Aurelien Jarno <aurelien@aurel32.net>
Date: Sun, 30 Jul 2017 12:08:50 +0000 (+0200)
Subject: samhain: disable SUID/SGID checks
X-Git-Url: https://git.adam-barratt.org.uk/?a=commitdiff_plain;h=778db76adfd93ae7070905b0f5aec4a047fffc74;p=mirror%2Fdsa-puppet.git

samhain: disable SUID/SGID checks

The SUID/SGID checks have been enabled in our configuration file
since the beginning, but have been actually active only for stretch
hosts as the jessie version of samhain is built without SUID/SGID
check support.

These checks are not very flexible, as it's only possible to specify a
single excluded directory, while we want to avoid walking both /srv and
/home. However they are also not very useful in our use case, as files
which get a SUID/SGID bit flipped will appear as changed.

Therefore simply disable the SUID/SGID checks.

Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
---

diff --git a/modules/samhain/templates/samhainrc.erb b/modules/samhain/templates/samhainrc.erb
index 28896369b..069135bab 100644
--- a/modules/samhain/templates/samhainrc.erb
+++ b/modules/samhain/templates/samhainrc.erb
@@ -671,9 +671,9 @@ SyslogSeverity=alert
 ## --- Check the filesystem for SUID/SGID binaries
 ## 
 
-## Switch on
+## Switch off
 #
-# SuidCheckActive = yes
+SuidCheckActive = 0
 
 ## Interval for check (seconds)
 #
@@ -685,13 +685,7 @@ SyslogSeverity=alert
  
 ## Directory to exclude 
 #
-<% if scope.lookupvar('site::nodeinfo')['buildd'] -%>
-SuidCheckExclude = /srv/buildd/unpack
-<% elsif scope.lookupvar('site::nodeinfo')['porterbox'] -%>
-SuidCheckExclude = /srv/chroot/schroot-unpack
-<% else -%>
 # SuidCheckExclude = NULL
-<% end -%>
 
 ## Limit on files per second (0 == no limit)
 #