1

I have to list all suid set on my server with osquery, I assume that suid_bin should give me all suid set, but it seems that it misses some of them. I'm using it like this:

Select * from suid_bin

But if I do a manual check on /usr for example I have some that are not in my previous results. To manual check a specific folder I'm using the following request:

SELECT * FROM file WHERE path LIKE "/usr/%%" and mode like "4755";

Could you tell me what I'm doing wrong here? I'm learning on osquery for now so I'm not comfortable with request on it...

RamblinRose
  • 4,883
  • 2
  • 21
  • 33
Eiga
  • 11
  • 4

1 Answers1

2

This is the documented behavior.

Looking across an entire filesystem is an expensive operation. So, as described in the schema, the suid_bin table looks for suid binaries in common locations, not exhaustively. If you want to see the list of places it looks, it's in the source code

As you discovered, the file table will let you recursively search the filesystem.

seph
  • 813
  • 6
  • 16