check-setuid - check for changes to setuid programs
is a plugin run by the checksecurity
scans the mounted files systems (subject to the filter defined in
/etc/checksecurity.conf) and compares the list of setuid programs to the list
created on the previous run. Any changes are printed to standard output. Also,
it generates a list of nfs
filesystems that are mounted
insecurely (i.e. they are missing the nodev
and either the
is run by cron
on a daily basis, and the output
stored in /var/log/setuid/setuid.changes.
file defines several configuration variables:
. Each is described below.
environment variable which is the argument of
'grep -vE' applied to the output of the mount
command. In other words,
the value of CHECKSECURITY_FILTER
is a regular expression that removes
matching lines from those file systems that will be scanned. The default value
removes all file systems of type proc, bind, msdos, iso9660, ncpfs, nfs,
afs, smbfs, auto, ntfs, coda
file systems, anything mounted on
/dev/fd*, anything mounted on /mnt or /amd, and anything mounted with option
nosuid or noexec.
file is sourced from checksecurity,
could do some fairly tricky things to define CHECKSECURITY_FILTER
environment variable, if set to the
literal "TRUE", disables find errors from checksecurity (actually,
it re-routes them to /dev/null
environment variable, if set to the literal
"TRUE", disables the message about nfs
systems that are mounted without the nodev
and either the noexec
If set, the CHECKSECURITY_EMAIL
variable defines who is sent a copy of
the setuid.changes file.
variable specifies a find
for which matching block and character device files will not be monitored for
changing owners and permissions. For example, if you don't want to check for
permission changes on tty device files beneath /dev, you could set the
Note that any added or modified suid programs under that path would still be
detected. If you want to specify multiple expressions, separate them with
'-o', but there is no need to surround the whole clause with parentheses. To
disable this filter, specify it as '-false' (which is the default).
Note that if the system gets restarted often checksecurity will report a lot of
changes in the /dev/ subdirectory due to timestamp changes. In this case you
might want to change it to:
variable specifies a find
which will be pruned from the search path. This means that the entire
subtree will be completely skipped.
then the entire /var/ftp tree will be skipped. To disable this filter, specify
it as '-false' (which is the default).
sets the name of the directory which stores the files which track
the permission and ownership changes. By default, they are in
- checksecurity configuration file
- setuid files from the most recent run
- setuid files from the previous run