Monitoring Files with Special Permissions
Find all setuid and setgid programs on your system, and keep track of what they are, so you are aware of any changes which could indicate a potential intruder. Use the following command to find all setuid and setgid programs on your system:
user@myhost# find / -type f -perm +6000 -ls
You can discriminately remove the setuid or setgid permissions on a suspicious program with chmod(1), then change it back if you absolutely feel it is necessary.
World-writable files, particularly system files, can be a security hole if a cracker gains access to your system and modifies them. Additionally, world-writable directories are dangerous, since they allow a cracker to add or delete files as he wishes. To locate all world-writable files on your system, use the following command:
user@myhost# find / -perm -2 ! -type l -ls
and be sure you know why those files are writable. In the normal course of operation, several files will be writable, including some from /dev.
Unowned files may also be an indication an intruder has accessed your system. You can locate files on your system that do not have an owner, or belong to a group with the command:
root@myhost# find / -nouser -o -nogroup