← Rules Catalog
mediumfilesystemverified

Audit SUID executables

audit-suid-files · RHEL ≥ 8 · 1 impl

Description

SUID (Set User ID) executables run with the file owner's privileges. The list of SUID files should be reviewed regularly to ensure no unauthorized SUID binaries exist.

Rationale

SUID binaries can be exploited to gain elevated privileges. Regular auditing ensures only authorized programs have SUID set and helps detect potential privilege escalation vectors.

Check → Remediate

Checkcommand
find / -xdev -type f -perm -4000 2>/dev/null | wc -l
expected_exit:
0
Remediatemanual
note:
Review SUID files and remove SUID bit from unauthorized programs: find / -xdev -type f -perm -4000 Compare against a known-good baseline. Remove SUID if not needed: chmod u-s <file>

Framework references

CIS

rhel8 7.2.4rhel10 7.2.4rhel9 7.2.4

NIST 800-53

AC-6CM-6

Live verification

rhel10:checkrhel8:checkrhel9:check
#permissions#suid#privilege-escalation#audit