Pete's Notebook: Check SUID/SGID program Audit rules

Here's an interesting BASH script that checks that all SUID/SGID files have a corresponding audit rule. Useful if you work in an environment where you are required to periodically perform this check, and like all good (lazy) sysadmins, wish you had a script to automate this task...

#!/bin/bash

for i in `lsblk --output MOUNTPOINT | grep /`
do

for j in `find ${i} -xdev -type f $ -perm -4000 -o -perm -2000 $`
do
if [ "$(grep -c ${j} /etc/audit/audit.rules)" -ge 1 ]; then
# If there is a rule...do nothing?

    echo "" > /dev/null
   else
    echo "suid/sgid program ${j} - NO audit rule!"
   fi
done
done

exit 0

What's here:

Check SUID/SGID program Audit rules