id: suid-sgid

info:
  name: Root SUID/SGID File Check
  author: songyaeji
  severity: high
  description: |
    Files owned by root with SUID or SGID permissions could have led to privilege escalation.if misconfigured. This template detected such files for further review.
  reference:
    - https://isms.kisa.or.kr
  tags: linux,local,audit,compliance,privesc,kisas

self-contained: true

code:
  - engine:
      - sh
      - bash
    source: |
      find / -user root -type f \( -perm -4000 -o -perm -2000 \) -exec ls -lg {} \; 2>/dev/null | head -n 10

    matchers:
      - regex:
          - "^-rws.*"   # SUID
          - "^-..s.*"   # SGID
# digest: 490a00463044022061acb684d2780baafc78c626e925de50807f037fe4b67af44437df254d16889a02204668b1b627f4944cbe222aa6ac9e513e65b2646214cfaa42353e5044ea9624aa:922c64590222798bb761d5b6d8e72950