SBDavid
May 12th, 2009
May 12th, 2009
Find all SUID/SGID programs on your system
Find all SUID/SGID programs on your system, and keep track of what they are, so you are aware of any changes which could indicate a potential intruder. Use the following command to find all SUID/SGID programs on your system:
root# find / -type f \( -perm -04000 -o -perm -02000 \)
Example
#find / -type f \( -perm -04000 -o -perm -02000 \)
/usr/bin/wall
/usr/bin/newgrp
/usr/bin/chage
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/expiry
/usr/bin/gpasswd
/usr/bin/passwd
….
….
……..
You can remove the SUID or SGID permissions on a suspicious program with chmod, then restore them back if you absolutely feel it is necessary.
