man permchk

NAME

  permchk - execute process-setuid on a platform of systems

SYNOPSIS

  permchk [-options] platform

DESCRIPTION

  The permchk script is distributed with uaxtools and invokes process-setuid across a
  collection of systems (platform).  These scripts are intended to compare mode, own-
  ership,  and  sum [sg]uid, acl, and o+w files with a registry of known files.  Gen-
  eral recommendations are to run permchk weekly and after any system  update.   This
  script  uses  the  permchk_os  wrapper  which  can be used to customize for a site.
  E.g., what constitutes a platform, whether to use push or dsh, ....

  Many traditional UNIX implementations  contained  inappropriate  suid  files  which
  could be exploited by users to gain root authority.  While modern linux implementa-
  tions typically do not have this issue,  it  is  still  appropriate  to  audit  all
  [sg]uid  files on a system.  This does reqiure that prelink be disabled (which is a
  good idea regardless).  The etc/sguid.list file contains two sets of mode and  own-
  ership,  the  "old"  (original)  and  "new"  (site defined) for files.  The file is
  described in 'man process-setuid'.

OPTIONS

  -a address
         email address

  -p select
         push|dsh selection

  -d date
         results re-report

  -b bindir
         binary directory

  -l list
         sguid.list file

  -n nodes
         max duplicate msg (default 4)

  -m lines
         max error lines (default 400)

  -r     sort by node not error

  -s     squash whitespace in report

  -v     verbose mode ('set -x')

ACKNOWLEDGEMENTS

  Written at the University of Alaska.  Ongoing maintenance via SourceForge by Denali
  Sun Consulting.

  Suggestions or bug reports can be directed to denalisun907@gmail.com.

RELATED INFORMATION

  See: uaxtools(8), process-setuid(8), push(8).