Security Toolbox

Auditing Security

There are many applications and application suites available to perform regular security audits and track changes to critical files. In addition, you have the power to perform a quick security audit on your system by using the find command. This is by no means a deep security audit but just a quick and dirty scan of your system to find files that have the SUID/SGID permission set that shouldn’t. Having these permissions bits set on files owned by root is a serious vulnerability, because they can allow users who do not have root access to execute commands as root and potentially initiate a root account compromise.

What you’re looking for is files that have permissions set similar to the following:

-rwSr-xr-x (SUID) or –rw-r-Sr-x (SGID)

The following find command locates all files with the SUID permission set for root:

# find / -type f -perm -u=s -ls

Here are some examples of files that match this permission:

12734848   44 -rwsr-xr-x  1 root root  44320 Mar 14 05:37 /usr/bin/mount
12734863   32 -rwsr-xr-x  1 root root  32208 Mar 14 05:37 /usr/bin/su
12734867   32 -rwsr-xr-x  1 root root  32048 Mar 14 05:37 /usr/bin/umount
13025626  144 ---s--x--x  1 root root  147392 Oct 30  2018 /usr/bin/sudo
12777317   60 -rwsr-xr-x  1 root root   57664 Nov 20  2018 /usr/bin/crontab
13037754   28 -rwsr-xr-x  1 root root   27832 Jun 10  2014 /usr/bin/passwd

Similarly, the find command to locate files that have the SGID permission set is as follows:

# find / -type f -perm -u=s -ls

And here are some examples of matching files:

12649555  16 -r-xr-sr-x 1 root tty     15344 Jun  9  2014 /usr/bin/wall
12734873  20 -rwxr-sr-x 1 root tty     19624 Mar 14 05:37 /usr/bin/write
13015059 376 ---x--s--x 1 root nobody 382240 Apr 10  2018 /usr/bin/ssh-agent

As you can see from you own listing, the number of files with SGID set is far fewer than those with SUID set. Some system files require SUID/SGID permission to be set, but there are very few of them. You need to perform a baseline audit of your systems upon initial installation and then track those changes periodically to be sure that no rogue programs or users have exploited this security flaw.


There are several other Linux hardening methods such as PAM, iptables, enabling SELinux, removing any X display managers, and regular port monitoring, but these are outside the scope of this article. I may revisit them in future installments individually. As stated previously, you can’t remove all network access to your servers, because that defeats the purpose of having a server. But now you have a small but powerful toolbox of utilities and techniques that will help you to keep your systems safer.

Buy Linux Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Nmap Methods

    How does the popular Nmap scanner identify holes in network security? In this article, we examine some Nmap analysis techniques.

  • Nmap Scripting

    Nmap is rolling out a new scripting engine to automatically investigate vulnerabilities that turn up in a security scan. We’ll show you how to protect your network with Nmap and NSE.

  • Nmap Workshop

    In "The Matrix Reloaded," Trinity uses Nmap to hack into the power grid to pave Neo's way to the architect of the virtual world. However, the port scanner is also ideal for more mundane purposes – such as discovering vulnerabilities in your domestic network.

  • Charly's Column

    Many tools keep growing with each new version, but Nmap 4.00 has lost weight thanks to the Diet-Nmap project. The latest incarnation of Nmap is not only quicker, it is also more frugal with memory.

  • Scanning with Zenmap

    Discover your network with the user-friendly Zenmap network scanner.

comments powered by Disqus

Direct Download

Read full article as PDF: