Provided by: checksecurity_2.0.16+nmu3ubuntu1_all bug

NAME

       check-setuid - check for changes to setuid programs

SYNOPSIS

       check-setuid

DESCRIPTION

       The  check-setuid is a plugin run by the checksecurity command. It scans the mounted files
       systems (subject to the filter defined in /etc/checksecurity.conf) and compares  the  list
       of  setuid  programs  to  the list created on the previous run. Any changes are printed to
       standard output. Also, it generates a list of nfs and afs  filesystems  that  are  mounted
       insecurely (i.e. they are missing the nodev and either the noexec or nosuid flags).

       checksecurity   is   run   by   cron   on   a  daily  basis,  and  the  output  stored  in
       /var/log/setuid/setuid.changes.

CONFIGURATION

       The checksecurity.conf file defines several configuration variables: CHECKSECURITY_FILTER,
       CHECKSECURITY_NOFINDERRORS,          CHECKSECURITY_NONFSAFS,          CHECKSECURITY_EMAIL,
       CHECKSECURITY_DEVICEFILTER,  CHECKSECURITY_PATHFILTER,  and  LOGDIR.   Each  is  described
       below.

       The  CHECKSECURITY_FILTER environment variable which is the argument of 'grep -vE' applied
       to the output of the mount command. In other words, the value of CHECKSECURITY_FILTER is a
       regular  expression  that  removes  matching  lines  from  those file systems that will be
       scanned. The default value removes all file systems of type proc,  bind,  msdos,  iso9660,
       ncpfs,  nfs,  afs,  smbfs,  auto,  ntfs,  coda file systems, anything mounted on /dev/fd*,
       anything mounted on /mnt or /amd, and anything mounted with option nosuid or noexec.

       The checksecurity.conf file is sourced from checksecurity, so you  could  do  some  fairly
       tricky things to define CHECKSECURITY_FILTER.

       The  CHECKSECURITY_NOFINDERRORS  environment  variable,  if  set  to  the  literal "TRUE",
       disables find errors from checksecurity (actually, it re-routes them to /dev/null ).

       The CHECKSECURITY_NONFSAFS environment variable, if set to the  literal  "TRUE",  disables
       the  message  about nfs and afs file systems that are mounted without the nodev and either
       the noexec or nosuid options.

       If set, the CHECKSECURITY_EMAIL variable defines who is sent a copy of the  setuid.changes
       file.

       The  CHECKSECURITY_DEVICEFILTER  variable specifies a find clause for which matching block
       and character device files will not be monitored for changing owners and permissions.  For
       example,  if  you  don't  want to check for permission changes on tty device files beneath
       /dev, you could set the following:

              CHECKSECURITY_DEVICEFILTER='-path /dev/tty*'

       Note that any added or modified suid programs under that path would still be detected.  If
       you want to specify multiple expressions, separate them with '-o', but there is no need to
       surround the whole clause with parentheses. To disable this filter, specify it as '-false'
       (which is the default).

       Note that if the system gets restarted often checksecurity will report a lot of changes in
       the /dev/ subdirectory due to timestamp changes. In this case you might want to change  it
       to:

              CHECKSECURITY_DEVICEFILTER='-path /dev/'

       The  CHECKSECURITY_PATHFILTER  variable  specifies a find clause which will be pruned from
       the search path.  This means that the entire subtree will be  completely  skipped.   Thus,
       specifying

              CHECKSECURITY_PATHFILTER='-path /var/ftp'

       then  the  entire  /var/ftp  tree  will  be skipped. To disable this filter, specify it as
       '-false' (which is the default).

       LOGDIR sets the name of the directory which stores the files which  track  the  permission
       and ownership changes. By default, they are in /var/log/setuid.

FILES

       /etc/checksecurity.conf
              checksecurity configuration file

       /var/log/setuid/setuid.today
              setuid files from the most recent run

       /var/log/setuid/setuid.yesterday
              setuid files from the previous run