the setuid hunt can be automated with a simple one-liner
(3 lines if you want it readable)
( for i in ` find / -perm -02000 -o -perm -04000`; do
/bin/ls -l $i ; rpm -qf $i
done ) > /tmp/badperm 2>&1
You can then go through the file looking for anything worth removing
You might want to split it up into two scripts -- one that hunts for
setuid programs, and one that looks for setgid programs.
Files that have spaces or newlines in them will show up as
'file not found' errors -- an indicator of possible hacker activity.
( The brackets are required to avoid wierd redirection
problems with some (old) versions of bash / sh )
Scott Gifford wrote:
> Be especially cautious of programs which have setuid/setgid
> permissions. Use:
> find /usr/bin -perm -02000 -o -perm -04000 -ls
> to do this, then use "rpm -qf" to figure out which RPMs they come from
.....
--
Stephen Samuel +1(604)876-0426 [EMAIL PROTECTED]
http://www.bcgreen.com/~samuel/
Powerful committed communication, reaching through fear, uncertainty and
doubt to touch the jewel within each person and bring it to life.
