From 778db76adfd93ae7070905b0f5aec4a047fffc74 Mon Sep 17 00:00:00 2001 From: Aurelien Jarno Date: Sun, 30 Jul 2017 14:08:50 +0200 Subject: [PATCH] samhain: disable SUID/SGID checks The SUID/SGID checks have been enabled in our configuration file since the beginning, but have been actually active only for stretch hosts as the jessie version of samhain is built without SUID/SGID check support. These checks are not very flexible, as it's only possible to specify a single excluded directory, while we want to avoid walking both /srv and /home. However they are also not very useful in our use case, as files which get a SUID/SGID bit flipped will appear as changed. Therefore simply disable the SUID/SGID checks. Signed-off-by: Aurelien Jarno --- modules/samhain/templates/samhainrc.erb | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/modules/samhain/templates/samhainrc.erb b/modules/samhain/templates/samhainrc.erb index 28896369b..069135bab 100644 --- a/modules/samhain/templates/samhainrc.erb +++ b/modules/samhain/templates/samhainrc.erb @@ -671,9 +671,9 @@ SyslogSeverity=alert ## --- Check the filesystem for SUID/SGID binaries ## -## Switch on +## Switch off # -# SuidCheckActive = yes +SuidCheckActive = 0 ## Interval for check (seconds) # @@ -685,13 +685,7 @@ SyslogSeverity=alert ## Directory to exclude # -<% if scope.lookupvar('site::nodeinfo')['buildd'] -%> -SuidCheckExclude = /srv/buildd/unpack -<% elsif scope.lookupvar('site::nodeinfo')['porterbox'] -%> -SuidCheckExclude = /srv/chroot/schroot-unpack -<% else -%> # SuidCheckExclude = NULL -<% end -%> ## Limit on files per second (0 == no limit) # -- 2.20.1