Linux system periodically checks for Suid or sgid permissions files

A file with Suid permissions in a Linux system makes people love and hate. The benefit of suid is that you can at some point allow the user to perform certain files that can only be executed by root (such as passwd,ping,mount, etc.), and the disadvantage is that if there is a flaw in the SUID management, Is easy to be used by the observant, and control the host. In fact, the use of suid to the right to put the back door to control the Linux mainframe, in the hacker community is not a secret, the Internet can search a few articles, today does not say how to use suid to attack, only talk about how to check the system suid files.
Check the command as follows:

Find/-perm +4000-user root-type f-print
Find/-perm +2000-group root-type f-print

Of course, you can also use the following command:

Find/-uid 0–perm-4000–print
Find/-type f-perm +6000
Find/-path '/proc '-prune-or-perm-u+s-exec ls-l {} \;

All of these commands can help you check, if you want to check regularly, then I give the following 2 shell script, but there is a small problem is that you must be on the new installed system to execute the 2 commands first:

Find/-path '/proc '-prune-or-perm-u+s-exec ls-l {} \; >/tmp/suidlist-init
Find/-type f-perm +6000 >/etc/sfilelist

You can then use these 2 scripts on a regular basis:

cat/root/soft_shell/check-suid.sh

#!/bin/bash

Old_list=/etc/sfilelist

For I in ' Find/-type f-perm +6000 '

Todo

Grep-f "$i" $OLD _list >/dev/null

[$-ne 0] && ls-lh $i

Done

cat/root/soft_shell/checksuid.sh
#!/bin/bash
logfile= "/tmp/suidlist-' Date +%y-%m-%d '"
resultfile= "/tmp/suid_check_result-' Date +%y-%m-%d '"

Find/-path '/proc '-prune-or-perm-u+s-exec ls-l {} \; > $LOGFILE
Diff/tmp/suidlist-init "$LOGFILE" > $RESULTFILE

Mutt-s "SUID CHECK result" Root < $RESULTFILE

Then schedule the plan to add:
Crontab-e
0 3 * * */root/soft_shell/checksuid.sh
Or
0 3 * * */root/soft_shell/check-suid.sh

This allows you to periodically check the system for suid files.