Top Document: comp.security.unix and comp.security.misc frequently asked questions Previous Document: SATAN doesn't display right in my web browser; it asks me to save the file. Next Document: Tcp wrappers (tcpd) thinks all hosts are 0.0.0.0 in Solaris 8 or in some versions of AIX. See reader questions & answers on this topic! - Help others by sharing your knowledge find / -local -type f \( -perm -4000 -o -perm -2000 \) -print or to do an "ls -l" of them: find / -local -type f \( -perm -4000 -o -perm -2000 \) -exec ls -ld '{}' \; You may want to add the "-u" option to ls to see last-accessed times rather than last-modified times (esp to help gauge how harmful it would be to unsetuid the file). Some versions of "find" don't have the "-local" option. Its purpose is to avoid searching nfs volumes. If you don't have any nfs mounts, you can omit the "-local". If you do, here are some other possibilities: * On some systems you can do something like find / -fstype nfs -prune -o -type f \( -perm -4000 ... * Some systems have "-xdev" or "-mount", which prevent find from traversing mounts. But then you have to run it for each local filesystem separately. * Do the check with nfs filesystems unmounted (e.g. single-user mode). * As an alternative to find, "ncheck -s" will tell you all setuid and setgid files, plus all device files (which is something of equal interest, although usually much less problematic in OS distributions). It too must be run separately for each filesystem. Please note that this is insufficient if you suspect backdoors have been installed on your system. The backdoor installation activity could have included modifying the "find" command. The purpose of the above is to find locally-installed or vendor-supplied security bugs waiting to happen, not to find backdoors. Also note that on some systems, "-local" doesn't do what you'd think, because it still traverses the entire remote filesystem, and rejects all nodes in it as non-local. In this case you want "! -local -prune -o", i.e. if not local prune the search, else ... . User Contributions:Top Document: comp.security.unix and comp.security.misc frequently asked questions Previous Document: SATAN doesn't display right in my web browser; it asks me to save the file. Next Document: Tcp wrappers (tcpd) thinks all hosts are 0.0.0.0 in Solaris 8 or in some versions of AIX. Single Page [ Usenet FAQs | Web FAQs | Documents | RFC Index ] Send corrections/additions to the FAQ Maintainer: flaps@dgp.toronto.edu (Alan J Rosenthal)
Last Update March 27 2014 @ 02:11 PM
|
Comment about this article, ask questions, or add new information about this topic: