Simple security check on your servers

Hello!

I propose to do a simple security check on your servers.

The essence of the check is very simple. We switch to the user from which services, such as a web server or database, are launched, and look at what files in the system he can read and write. It is necessary to run from under all users, from under which the services looking into the world work. If you have never done it before, abysses may open, but do not panic and correct everything quickly.

I note that for example the Apachev user should not have rights to change and delete Apachev logs.

Happy New Year!

Linux

Read check

su -l www-data
find / -type d \( -wholename '/dev/*' -o -wholename '/sys/*' -o -wholename '/proc/*' \) -prune -o -exec test -r {} \; -exec echo {} is readable \; 2>/dev/null

Write check

su -l www-data
find / -type d \( -wholename '/dev/*' -o -wholename '/sys/*' -o -wholename '/proc/*' \) -prune -o -exec test -w {} \; -exec echo {} is writable \; 2>/dev/null

Freebsd

Read check

su -m www -c /usr/local/bin/bash
find / -type d \( -name dev \) -prune -o -exec test -r {} \; -exec echo {} is readable \; 2>/dev/null

Write check

su -m www -c /usr/local/bin/bash
find / -type d \( -name dev \) -prune -o -exec test -w {} \; -exec echo {} is writable \; 2>/dev/null

PS
The output of these commands can be redirected to a file and then watch it with convenient means, for example

cut -d'/' -f1,2,3 < write.out | sort -u

UPDATE
timukas suggested that newer versions of gnu find can be checked even easier:

su -l user 
find / ! -writable
find / -writable