Ensure System Integrity Through Setuid And Setgid File Monitoring

Monitoring system files is crucial in maintaining host integrity. setuid and setgid files on your system are a potential security risk, and should be monitored closely. Because these programs grant special privileges to the user who is executing them, it is necessary to ensure that insecure programs are not installed. A favorite trick of crackers is to exploit "set-user-id root" programs (a frequent cause of buffer overflows), then leave a setuid program as a back door to get in the next time, even if the original hole is plugged.

Find all setuid and setgid programs on your system, and keep track of what they are, so you are aware of any changes which could indicate a potential intruder. Use the following command to find all setuid and setgid programs on your system:

        
             user@myhost#  find / -type f -perm +6000 -ls

You can discriminately remove the setuid or setgid permissions on a suspicious program with chmod(1), then change it back if you absolutely feel it is necessary.

World-writable files, particularly system files, can be a security hole if a cracker gains access to your system and modifies them. Additionally, world-writable directories are dangerous, since they allow a cracker to add or delete files as he wishes. To locate all world-writable files on your system, use the following command:

        
             user@myhost# find / -perm -2 ! -type l -ls

and be sure you know why those files are writable. In the normal course of operation, several files will be writable, including some from /dev.

Unowned files may also be an indication an intruder has accessed your system. You can locate files on your system that do not have an owner, or belong to a group with the command:

        
             root@myhost# find / -nouser -o -nogroup