To compile with support for this option, use the configure option
./configure --enable-suidcheck
If enabled, this will cause the samhain daemon to check the whole file system hierarchy for SUID/SGID files at user-defined intervals, and to report on any that are not included in the file database. Upon database initialization, all SUID/SGID files will automatically be included in the database. Excluded are nfs, proc, msdos, vfat, and iso9660 (CD-ROM) file systems, as well as file systems mounted with the 'nosuid' options (the latter is not supported on all OSes, but at least on Linux).
On Linux, files that are marked as candidates for mandatory locking (group-id bit set, group-execute bit cleared) will be ignored.
You can manually exclude one directory (see below); this should be used only for obscure problems (e.g.: /net/localhost on Solaris - the automounter will mirror the root directory twice, as '/net/localhost' and '/net/localhost/net/localhost', and any nfs file system in '/' will be labelled as ufs system in '/net/localhost/net/localhost' ...).
| ![[Note]](stylesheet-images/note.png) | Note | 
|---|---|
| The SUID check is very I/O expensive. Using 'nice' may not help, if the CPU is waiting for I/O all the time anyway. To limit the load, the following options are provided: You can 
        schedule execution at fixed times with 
        SuidCheckSchedule=
         You can 
        limit I/O with the 
        SuidCheckFps=
         As an alternative to the 
        SuidCheckFps option, you
        can use 
        SuidCheckYield=
         The schedule should have the same syntax as a crontab entry (see crontab(5) and example below), with the following exceptions: (a) lists are not allowed, and (b) ranges of names are allowed. If a schedule is given, the SuidCheckInterval option will not take effect. You can specify a list of schedules with successive SuidCheckSchedule=... directives. | 
As of version 1.8.4, it is possible to 
        quarantine new SUID/SGID files detected
        by 
        samhain. To use
        this option, you must first enable it with 
        SuidCheckQuarantineFiles=
        yes . This tells the
        SuidCheck module to quarantine any SUID/SGID files found
        after the initialization of the database using the method
        selected in 
        
        SuidCheckQuarantineMethod (see next paragraph). If
        this is used, the file will be logged each time it is found
        and not added to the memory resident database.
You must also choose a method to be used to
        quarantine a SUID/SGID file: 
        SuidCheckQuarantineMethod=
        0/1/2 . Currently,
        there are 3 methods implemented: 0 - Delete the file from
        the system. 1 - Remove the SUID/SGID permissions from the
        file. 2 - Move the SUID/SGID file to a quarantine
        directory. The quarantine directory is 
        
        DEFAULT_DATAROOT/.quarantine. Each file moved
        there has an additional file created that contains
        information about the SUID/SGID file. For example, if a
        file 
        /foo is an unauthorized
        SUID/SGID file, then it will be removed and moved to 
        
        /var/lib/samhain/.quarantine and another file, 
        foo.info, will be
        created in 
        
        /var/lib/samhain/.quarantine with information
        about 
        /foo.
| ![[Warning]](stylesheet-images/warning.png) | Important remarks | 
|---|---|
| Methods 0 and 2 will by default not remove the
          original file, but rather truncate to zero size and
          remove suid/sgid properties. If you really want to remove
          the original file rather than truncate, you need to set
          the option 
          SuidCheckQuarantineDelete=
           The rationale for this behaviour is that removing a file in an arbitrary directory is considered to be dangerous, because the object that is unlinked may not be the same object anymore that has been determined to be a suid/sgid file before. You have been warned. For additional security, samhain will recursively chdir into the parent directory of the file to make sure there are no symlinks in the path. Also, a file will not be truncated if it is a hardlink to another one. No quarantining will be done if samhain is run in 'update' mode, since it is assumed that the current filesystem state is ok, and the database should be updated to reflect the current state. | 
This facility is configured in the SuidCheck section of the configuration file.
[SuidCheck] # activate (0 for switching off) SuidCheckActive=1 # interval between checks (in seconds, default 7200) # SuidCheckInterval=86400 # scheduled check at 01:30 each night SuidCheckSchedule=30 1 * * * # this is the severity (see Section 1.1) SeveritySuidCheck=crit # you may manually exclude one directory SuidCheckExclude=/net/localhost # # limit on files per seconds SuidCheckFps=250 # alternatively yield time slice after each file # SuidCheckYield=yes # # Quarantine detected SUID/SGID files # SuidCheckQuarantineFiles=no # # Quarantine Method # 0 - Delete the file from the system. # 1 - Remove the SUID/SGID permissions from the file. # 2 - Move the SUID/SGID file to a quarantine directory. # The quarantine directory is DEFAULT_DATAROOT/.quarantine. # SuidCheckQuarantineMethod = 1 # # Really delete if using methods 0 or 2 # SuidCheckQuarantineDelete = no