find_suid_sgid_files

This check reports all files with the SUID/SGID bit set. All files reported by this check should be carefully audited, especially shell scripts and home grown/in-house executables, for example executables that are not shipped with the system. SUID/SGID files present the risk of escalating privileges of a normal user to the ones possessed by the owner or the group of the file. If such files/scripts do need to exist then they should be specially examined to check if they allow creating file with elevated privileges.

This check can be modified to report files that are SUID (-4000) or SGID (-2000) specifically.

find_option: [suid | sgid | both]

The both setting is default if no find_option tag is specified.

By default, the search is done recursively under the '/' directory. This can make this check extremely slow to execute depending on the number of files present on the remote system. However, if needed, the default base directory to search for can be changed by using the optional keyword basedir. It is also possible to skip certain files within a base directory from being searched using another optional keyword ignore.

Due to the nature of the check, it is normal for it to keep running for a couple of hours, depending on the type of system being scanned. The check can be modified with the timeout tag with a value between 1 and 7,200 seconds to control processing time for this check.

Usage

Example