Provided by: checksecurity_2.0.16+nmu1ubuntu1_all bug


       check-setuid - check for changes to setuid programs




       The check-setuid is a plugin run by the checksecurity command. It scans
       the  mounted  files  systems  (subject  to  the   filter   defined   in
       /etc/checksecurity.conf)  and  compares  the list of setuid programs to
       the list created on the  previous  run.  Any  changes  are  printed  to
       standard  output.  Also, it generates a list of nfs and afs filesystems
       that are mounted insecurely (i.e. they are missing the nodev and either
       the noexec or nosuid flags).

       checksecurity is run by cron on a daily basis, and the output stored in


       The checksecurity.conf file defines  several  configuration  variables:
       CHECKSECURITY_NONFSAFS,                            CHECKSECURITY_EMAIL,
       is described below.

       The CHECKSECURITY_FILTER environment variable which is the argument  of
       'grep  -vE' applied to the output of the mount command. In other words,
       the value of CHECKSECURITY_FILTER is a regular expression that  removes
       matching  lines  from  those  file  systems  that  will be scanned. The
       default value removes all file  systems  of  type  proc,  bind,  msdos,
       iso9660,  ncpfs,  nfs,  afs,  smbfs,  auto,  ntfs,  coda  file systems,
       anything mounted on /dev/fd*, anything mounted on  /mnt  or  /amd,  and
       anything mounted with option nosuid or noexec.

       The checksecurity.conf file is sourced from checksecurity, so you could
       do some fairly tricky things to define CHECKSECURITY_FILTER.

       The CHECKSECURITY_NOFINDERRORS environment  variable,  if  set  to  the
       literal  "TRUE",  disables find errors from checksecurity (actually, it
       re-routes them to /dev/null ).

       The CHECKSECURITY_NONFSAFS environment variable, if set to the  literal
       "TRUE",  disables  the  message about nfs and afs file systems that are
       mounted without the nodev and either the noexec or nosuid options.

       If set, the CHECKSECURITY_EMAIL variable defines who is sent a copy  of
       the setuid.changes file.

       The  CHECKSECURITY_DEVICEFILTER  variable  specifies  a find clause for
       which matching block and character device files will not  be  monitored
       for  changing owners and permissions. For example, if you don't want to
       check for permission changes on tty  device  files  beneath  /dev,  you
       could set the following:

              CHECKSECURITY_DEVICEFILTER='-path /dev/tty*'

       Note  that  any  added  or modified suid programs under that path would
       still be  detected.  If  you  want  to  specify  multiple  expressions,
       separate  them  with  '-o',  but there is no need to surround the whole
       clause with parentheses. To disable this filter, specify it as '-false'
       (which is the default).

       Note  that if the system gets restarted often checksecurity will report
       a lot of changes in the /dev/ subdirectory due to timestamp changes. In
       this case you might want to change it to:

              CHECKSECURITY_DEVICEFILTER='-path /dev/'

       The  CHECKSECURITY_PATHFILTER  variable  specifies  a find clause which
       will be pruned from the  search  path.   This  means  that  the  entire
       subtree will be completely skipped.  Thus, specifying

              CHECKSECURITY_PATHFILTER='-path /var/ftp'

       then  the entire /var/ftp tree will be skipped. To disable this filter,
       specify it as '-false' (which is the default).

       LOGDIR sets the name of the directory  which  stores  the  files  which
       track  the  permission  and  ownership changes. By default, they are in


              checksecurity configuration file

              setuid files from the most recent run

              setuid files from the previous run