login_shells_with_suid

This built-in function makes sure that no shell has “set-uid” capabilities.

A “setuid” shell means that whenever the shell is started, the process itself will have the privileges set to its permissions (a setuid “root” shell grants super-user privileges to anyone for instance).

Having a “setuid” shell defeats the purpose of having UIDs and GIDs and makes access control much more complex.

Remove the SUID bit of each shell that is “setuid”.

Usage

<item>

name: "login_shells_with_suid"

description: "This check reports user accounts with login shells that have setuid or setgid privileges."

</item>