Linux 101 : Checking files that could present potential security holes
The binary files have like the other files some attributes we could check to see if they have been modified recently. One of these parameters is mtime - modification time -.
The ctime attribute - change time - also helps us displays the files whose metadata have been modified - permission, ... - .
To see if our file was modified in the last 24 hours, we could use the below command:
The "-1" referes to 24 hours, for 2 days, we will use "-2" for example.
We could use ctime instead of mtime to see the file whose metadata was modified.
The find command - in the above command - goes through the "/bin" directory to check the files that were changed in the last 24 hours - "-1" -.
If a file was modified, we could check its status to get more information - date of modification, access rights, ... - using the below command:
Programs with the SUID permission present a security risk because they could be run/accessed with the permissions of the owner of the file for the duration of the execution of the program.
Its good to keep track of these files. To find the SUID files on our system, we use the below command:
Programs with GUID permission also present a security risk, because they could be executed with the permissions of the group owner of the file for the duration of the execution of the program.
In other words this allows a user to have the same rights as the members of the file’s group for the duration of the execution of the program.
To find the GUID files we use the below command:
Files with no owner could also present a security risk. We could find them using the below command:
A file will retain the UID of a its deleted user/owner. A new user with the same UID could have access to this file.
The below command command only removes the files - owned by username - in the user's home directory, not the ones that were created elsewhere.
We could use the below command to find the other files - created outside the user's home directory -:
Files that are not owned by any group could also present a security risk, we could look for them using the below command: