Another approach in conjunction with mounting all filesystems nosuid is to also create a (small) /suid partition - move all suid executables there, then symlink them back to their original locations. This is, of course, after removing all extraneous rpms & dropping off the suid bits for files you want left in place but with reduced perms (eg for rpm dependencies). Mount all other partitions nosuid, leaving only the /suid partition with suid capabilities. It goes without saying that only root should have write permission to this directory.
Once you have moved & symlinked all your necessary suid exectubles, you will find that the only results of the 'find / -perm +0600 -ls' (Kurt's version) command should be in /suid - the rest of your partitions should show up nothing. The only area this scheme really fails is with an updated rpm, which will wipe over the symlinks with actual files, and not upgrade your /suid partition. If you run a cron.daily script which checks for the presence of suid files (see above for exact syntax), then these show up very quickly. Even if you do miss these files when upgrading, they will still not be suid - nosuid mounted remember... Of course, awareness of exactly what you are upgrading is even better! (this is not a lot to be aware of either - most /suid partitions usually end up with <10 files, usually 4-5). Milton.
