mediumfilesystemverified ✓
Audit SUID executables
audit-suid-files · RHEL ≥ 8 · 1 impl
Description
SUID (Set User ID) executables run with the file owner's privileges. The list of SUID files should be reviewed regularly to ensure no unauthorized SUID binaries exist.
Rationale
SUID binaries can be exploited to gain elevated privileges. Regular auditing ensures only authorized programs have SUID set and helps detect potential privilege escalation vectors.
Check → Remediate
Checkcommand
find / -xdev -type f -perm -4000 2>/dev/null | wc -l
- expected_exit:
- 0
Remediatemanual
- note:
- Review SUID files and remove SUID bit from unauthorized programs: find / -xdev -type f -perm -4000 Compare against a known-good baseline. Remove SUID if not needed: chmod u-s <file>
Framework references
CIS
rhel8 7.2.4rhel10 7.2.4rhel9 7.2.4
NIST 800-53
AC-6CM-6
Live verification
rhel10:checkrhel8:checkrhel9:check
#permissions#suid#privilege-escalation#audit