Security Audit Patterns

SUID files — executables that run as file owner

# Find all SUID files system-wide (run as regular user — errors on /proc are normal)
find / -perm -4000 -type f -print 2>/dev/null | sort

# Verify expected SUID binaries (should be small, known list)
find /usr/bin -perm -4000 -type f -exec ls -la {} +

SGID files — executables that run as file group

# Find all SGID files
find / -perm -2000 -type f -print 2>/dev/null | sort

# Combined SUID + SGID search
find / \( -perm -4000 -o -perm -2000 \) -type f -exec ls -la {} + 2>/dev/null

World-writable files — anyone can modify

# Find world-writable files (excluding /proc, /sys, /tmp)
find / -path /proc -prune -o -path /sys -prune -o -path /tmp -prune \
  -o -perm -o+w -type f -print 2>/dev/null | head -20

World-writable directories without sticky bit — deletion risk

# Directories where anyone can write AND delete others' files
find / -path /proc -prune -o -path /sys -prune \
  -o -type d \( -perm -o+w ! -perm -1000 \) -print 2>/dev/null

# Compare: /tmp has sticky bit (1777) — this is correct
ls -ld /tmp

Files with no owner — orphaned after user deletion

# Files owned by a UID that has no /etc/passwd entry
find / -path /proc -prune -o -path /sys -prune \
  -o -nouser -print 2>/dev/null | head -20

Files with no group — orphaned after group deletion

# Files whose GID has no /etc/group entry
find / -path /proc -prune -o -path /sys -prune \
  -o -nogroup -print 2>/dev/null | head -20

Recently modified system files — potential compromise indicator

# System binaries modified in the last 24 hours — should be rare outside updates
find /usr/bin /usr/sbin /usr/lib -type f -mtime -1 \
  -printf '%T+ %p\n' 2>/dev/null | sort -r

# Config files modified in last 24 hours
find /etc -type f -mtime -1 -printf '%T+ %p\n' 2>/dev/null | sort -r

Find .ssh directories and check permissions

# Find all .ssh directories
find /home -name ".ssh" -type d -exec ls -ld {} + 2>/dev/null

# Check permissions on keys — should be 600 (private) or 644 (public)
find /home -path '*/.ssh/*' -type f \
  -printf '%m %u:%g %p\n' 2>/dev/null

# Flag overly permissive private keys (anything not 600)
find /home -path '*/.ssh/id_*' ! -name '*.pub' -type f \
  ! -perm 600 -printf 'INSECURE: %m %p\n' 2>/dev/null

Find files with capabilities — elevated privileges without SUID

# Files with Linux capabilities set (requires getcap)
find /usr/bin /usr/sbin -type f -exec getcap {} + 2>/dev/null

# Common expected results:
# /usr/bin/ping cap_net_raw=ep
# /usr/bin/dumpcap cap_net_admin,cap_net_raw=eip

Writable config files in /etc — should be root-only

# Config files writable by group or other (potential misconfiguration)
find /etc -name "*.conf" -type f \( -perm -g+w -o -perm -o+w \) \
  -exec ls -la {} + 2>/dev/null

# All files in /etc not owned by root
find /etc -type f ! -user root -printf '%u %p\n' 2>/dev/null | head -20