From: Aurelien Jarno <aurelien@aurel32.net>
Date: Sat, 8 Apr 2017 16:57:59 +0000 (+0200)
Subject: samhain: disable SuidCheck for /srv/buildd/unpack on buildds
X-Git-Url: https://git.adam-barratt.org.uk/?a=commitdiff_plain;h=ede01e5e88459e8301e33bbdd7a1d59639c3a624;p=mirror%2Fdsa-puppet.git

samhain: disable SuidCheck for /srv/buildd/unpack on buildds

The SuidCheck module was not available in jessie (despite our
configuration file mentioning it), and is now enabled by default in
stretch.

For the build daemons, we need to disable suid checks in
/srv/buildd/unpack.

For the porterboxes, we need to disable suid checks in
/srv/chroot/schroot-unpack.

Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
---

diff --git a/modules/samhain/templates/samhainrc.erb b/modules/samhain/templates/samhainrc.erb
index 6f46ae53f..b73730791 100644
--- a/modules/samhain/templates/samhainrc.erb
+++ b/modules/samhain/templates/samhainrc.erb
@@ -665,7 +665,7 @@ SyslogSeverity=alert
 #
 #####################################################
 
-# [SuidCheck]
+[SuidCheck]
 ##
 ## --- Check the filesystem for SUID/SGID binaries
 ## 
@@ -684,7 +684,13 @@ SyslogSeverity=alert
  
 ## Directory to exclude 
 #
+<% if scope.lookupvar('site::nodeinfo')['buildd'] -%>
+SuidCheckExclude = /srv/buildd/unpack
+<% elsif scope.lookupvar('site::nodeinfo')['porterbox'] -%>
+SuidCheckExclude = /srv/chroot/schroot-unpack
+<% else -%>
 # SuidCheckExclude = NULL
+<% end -%>
 
 ## Limit on files per second (0 == no limit)
 #