/usr/share/doc/samhain/manual.html/suidchk.html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN""http://www.w3.org/TR/html4/loose.dtd">
<HTML
><HEAD
><TITLE
>Checking the file system for SUID/SGID binaries</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.79"><LINK
REL="HOME"
TITLE="The Samhain Host Integrity Monitoring System"
HREF="index.html"><LINK
REL="UP"
TITLE="Configuring samhain, the host integrity monitor"
HREF="file-monitor.html"><LINK
REL="PREVIOUS"
TITLE="The file signature database"
HREF="databasefile.html"><LINK
REL="NEXT"
TITLE="Detecting Kernel rootkits"
HREF="kerneldef.html"><LINK
REL="STYLESHEET"
TYPE="text/css"
HREF="./docbook.css"></HEAD
><BODY
CLASS="SECT1"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><!--#if expr="! ($HTTP_USER_AGENT = /MSIE/)"--><!--#include virtual="/resources/ssi/header.html"--><!--#endif --><DIV
CLASS="NAVHEADER"
><TABLE
SUMMARY="Header navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TH
COLSPAN="3"
ALIGN="center"
>The Samhain Host Integrity Monitoring System</TH
></TR
><TR
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="bottom"
><A
HREF="databasefile.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="80%"
ALIGN="center"
VALIGN="bottom"
>Chapter 5. Configuring <SPAN
CLASS="APPLICATION"
>samhain</SPAN
>, the host integrity monitor</TD
><TD
WIDTH="10%"
ALIGN="right"
VALIGN="bottom"
><A
HREF="kerneldef.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="100%"></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="SUIDCHK"
>5.9. Checking the file system for SUID/SGID binaries</A
></H1
><P
>  To compile with support for this option, use the configure option </P
><P
>  <B
CLASS="COMMAND"
>./configure --enable-suidcheck</B
></P
><P
>  If enabled, this will cause the samhain daemon to check the whole
  file system hierarchy for SUID/SGID files at user-defined intervals, 
  and to report on any 
  that are not
  included in the file database. Upon database initialization, all 
  SUID/SGID files will automatically be included in the database.
  Excluded are nfs, proc, msdos, vfat,
  and iso9660 (CD-ROM) file systems, as well as file systems mounted
  with the 'nosuid' options (the latter is not supported on all OSes, but
  at least on Linux). </P
><P
>  On Linux, files that are marked as candidates
  for mandatory locking (group-id bit set, group-execute bit cleared)
  will be ignored.</P
><P
>  You can manually exclude one
  directory (see below); this should be used only for obscure problems
  (e.g.: /net/localhost on Solaris - the automounter will mirror the
  root directory twice, as '/net/localhost' and
  '/net/localhost/net/localhost', and any nfs file system in '/' will
  be labelled as ufs system in '/net/localhost/net/localhost' &hellip;).</P
><DIV
CLASS="NOTE"
><P
></P
><TABLE
CLASS="NOTE"
WIDTH="100%"
BORDER="0"
><TR
><TD
WIDTH="25"
ALIGN="CENTER"
VALIGN="TOP"
><IMG
SRC="./stylesheet-images/note.gif"
HSPACE="5"
ALT="Note"></TD
><TH
ALIGN="LEFT"
VALIGN="MIDDLE"
><B
>Note</B
></TH
></TR
><TR
><TD
>&nbsp;</TD
><TD
ALIGN="LEFT"
VALIGN="TOP"
><P
>  The SUID check is very I/O expensive. Using 'nice' may not
  help, if the CPU is waiting for I/O all the time anyway. 
  To limit the load, the following options are provided:
  </P
><P
>  You can <SPAN
CLASS="emphasis"
><I
CLASS="EMPHASIS"
>schedule</I
></SPAN
>
  execution at fixed times with 
  <B
CLASS="COMMAND"
>SuidCheckSchedule=<TT
CLASS="REPLACEABLE"
><I
>schedule</I
></TT
></B
>.
  </P
><P
>  You can <SPAN
CLASS="emphasis"
><I
CLASS="EMPHASIS"
>limit I/O</I
></SPAN
> with
  the <B
CLASS="COMMAND"
>SuidCheckFps=<TT
CLASS="REPLACEABLE"
><I
>fps</I
></TT
></B
> 
  option (fps: files per second).
  </P
><P
>  As an alternative to the <B
CLASS="COMMAND"
>SuidCheckFps</B
> option,
  you can use <B
CLASS="COMMAND"
>SuidCheckYield=<TT
CLASS="REPLACEABLE"
><I
>yes</I
></TT
></B
>.
  This will cause the SuidCheck module to yield its time slice after each
  file. If <B
CLASS="COMMAND"
>SuidCheckYield</B
> is used, the
  <B
CLASS="COMMAND"
>SuidCheckFps</B
> option will not take effect.
  </P
><P
>  The schedule should have the same syntax as a crontab entry (see 
  crontab(5) and example
  below), with the following exceptions: (a) lists are not allowed, 
  and (b) ranges of names are allowed. If a schedule is given,
  the <B
CLASS="COMMAND"
>SuidCheckInterval</B
> option will not take effect.
  You can specify a list of schedules with successive SuidCheckSchedule=...
  directives.
  </P
></TD
></TR
></TABLE
></DIV
><DIV
CLASS="SECT2"
><H2
CLASS="SECT2"
><A
NAME="SUIDCHK-QUARANTINE"
>5.9.1. Quarantine SUID/SGID files</A
></H2
><P
>  As of version 1.8.4, it is possible to <SPAN
CLASS="emphasis"
><I
CLASS="EMPHASIS"
>quarantine</I
></SPAN
>
  new SUID/SGID files detected by <SPAN
CLASS="APPLICATION"
>samhain</SPAN
>.
  To use this option, you must first enable it with 
  <B
CLASS="COMMAND"
>SuidCheckQuarantineFiles=<TT
CLASS="REPLACEABLE"
><I
>yes</I
></TT
></B
>.
  This tells the SuidCheck module 
  to quarantine any SUID/SGID files found after the initialization of the 
  database using the method selected in 
  <B
CLASS="COMMAND"
>SuidCheckQuarantineMethod</B
> (see next paragraph).  If 
  this is used, the file will be logged each time it is found and not 
  added to the memory resident database.</P
><P
>  You must also choose a method to be used to quarantine a 
  SUID/SGID file: 	
  <B
CLASS="COMMAND"
>SuidCheckQuarantineMethod=<TT
CLASS="REPLACEABLE"
><I
>0/1/2</I
></TT
></B
>.
  Currently, there are 3 methods implemented:
  0 - Delete the file from the system.
  1 - Remove the SUID/SGID permissions from the file.
  2 - Move the SUID/SGID file to a quarantine directory.  The quarantine 
  directory is <TT
CLASS="FILENAME"
>DEFAULT_DATAROOT/.quarantine</TT
>.  
  Each file moved there has an 
  additional file created that contains information about the SUID/SGID 
  file.  For example, if a file <TT
CLASS="FILENAME"
>/foo</TT
> is an 
  unauthorized SUID/SGID file, 
  then it will be removed and moved to 
  <TT
CLASS="FILENAME"
>/var/lib/samhain/.quarantine</TT
> and 
  another file, <TT
CLASS="FILENAME"
>foo.info</TT
>, will be created in 
  <TT
CLASS="FILENAME"
>/var/lib/samhain/.quarantine</TT
> 
  with information about <TT
CLASS="FILENAME"
>/foo</TT
>.</P
><DIV
CLASS="WARNING"
><P
></P
><TABLE
CLASS="WARNING"
WIDTH="100%"
BORDER="0"
><TR
><TD
WIDTH="25"
ALIGN="CENTER"
VALIGN="TOP"
><IMG
SRC="./stylesheet-images/warning.gif"
HSPACE="5"
ALT="Warning"></TD
><TH
ALIGN="LEFT"
VALIGN="MIDDLE"
><B
>Important remarks</B
></TH
></TR
><TR
><TD
>&nbsp;</TD
><TD
ALIGN="LEFT"
VALIGN="TOP"
><P
>  Methods 0 and 2 will by default not remove the original file, but 
  rather truncate to zero size and remove suid/sgid properties. If you
  really want to remove the original file rather than truncate, 
  you need to set the option 
  <B
CLASS="COMMAND"
>SuidCheckQuarantineDelete=<TT
CLASS="REPLACEABLE"
><I
>yes</I
></TT
></B
>
  </P
><P
>    The rationale for this behaviour is that removing a file in an arbitrary 
    directory is considered to be <SPAN
CLASS="emphasis"
><I
CLASS="EMPHASIS"
>dangerous</I
></SPAN
>, because the 
    object that is unlinked may not be the same object anymore that has been
    determined to be a suid/sgid file before. You have been warned.
  </P
><P
>  For additional security, samhain will recursively chdir into the parent 
  directory of the file to make sure there are no symlinks in the path. Also, 
  a file will not be truncated if it is a hardlink to another one.
  </P
><P
>  No quarantining will be done if samhain is run in 'update' mode, since
  it is assumed that the current filesystem state is ok, and the database
  should be updated to reflect the current state.
  </P
></TD
></TR
></TABLE
></DIV
></DIV
><DIV
CLASS="SECT2"
><H2
CLASS="SECT2"
><A
NAME="SUIDCHK-CONFIG"
>5.9.2. Configuration</A
></H2
><P
>  This facility is configured in the <SPAN
CLASS="emphasis"
><I
CLASS="EMPHASIS"
>SuidCheck</I
></SPAN
> 
  section of the 
  configuration file.
  </P
><P
>  <PRE
CLASS="PROGRAMLISTING"
>  [SuidCheck]  
  # activate (0 for switching off) 
  SuidCheckActive=1 
  # interval between checks (in seconds, default 7200)
  # SuidCheckInterval=86400 
  # scheduled check at 01:30 each night
  SuidCheckSchedule=30 1 * * * 
  # this is the severity (see <A
HREF="basic-configuration.html#SEVERITYDEF"
>Section 4.1.1</A
>&#62;) 
  SeveritySuidCheck=crit 
  # you may manually exclude one directory 
  SuidCheckExclude=/net/localhost
  #
  # limit on files per seconds
  SuidCheckFps=250 
  # alternatively yield time slice after each file
  # SuidCheckYield=yes
  #
  # Quarantine detected SUID/SGID files
  # SuidCheckQuarantineFiles=no
  #
  # Quarantine Method
  # 0 - Delete the file from the system.
  # 1 - Remove the SUID/SGID permissions from the file.
  # 2 - Move the SUID/SGID file to a quarantine directory.  
  #     The quarantine directory is DEFAULT_DATAROOT/.quarantine.
  # SuidCheckQuarantineMethod = 1
  #
  # Really delete if using methods 0 or 2
  # SuidCheckQuarantineDelete = no
  </PRE
>
  </P
></DIV
></DIV
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"><TABLE
SUMMARY="Footer navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
><A
HREF="databasefile.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="index.html"
ACCESSKEY="H"
>Home</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="kerneldef.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>The file signature database</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="file-monitor.html"
ACCESSKEY="U"
>Up</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>Detecting Kernel rootkits</TD
></TR
></TABLE
></DIV
><!--#if expr="! ($HTTP_USER_AGENT = /MSIE/)"--><!--#include virtual="/resources/ssi/footer.html"--><!--#endif --></BODY
></HTML
>
samhain 3.1.0-5ubuntu1 / usr / share / doc / samhain / manual.html / suidchk.html
