COP 2344 (Shell Scripting) Project #7
Finding Suspicious Files


Due: by the start of class on the date shown on the syllabus


As a system administrator you use the find command to locate suspicious files.  These are files whose presence indicates something is wrong.  Some attributes that make a file suspicious include:

  1. world writable files
  2. files with no valid owner and/or group
  3. setUID and/or setGID files
  4. files with unusual permissions (odd combinations, executables in data directories, etc.)
  5. files with unusual sizes
  6. files with unusual names (e.g., names of just dots, names ending with space(s), names containing shell wildcard characters, names containing non-ASCII (control) characters)
  7. files with unusual dates (e.g., very old or a future date, last modified time prior to creation time, ...)
  8. device (i.e., block or character special) files outside of /dev
  9. non-executable files in directories such as /bin

Additionally after an update of system software you may locate files with .rpmnew or .rpmsaved extensions.  These need to be examined so that the associated service configuration can be updated correctly.

Not all suspicious files indicate a problem!  For example it is common for some files to be word-writable, including symlinks and certain directories (such as /tmp) that have the sticky (or text) bit set.  Directories and database files often have the setGID set, and so on.  What is needed is that the System Administrator examine these to make sure they don't indicate problems.


Write a find command (or pipeline) that searches mounted disks looking for suspicious files and reporting their pathnames.  Be sure not to include non-Unix/Linux filesystems in your search; that is, skip /proc and other fake filesystems, any removable media, any Windows partitions, and any remotely mounted filesystems (such as NFS or Samba shares).

Correctly skipping non-suspicious files is worth 50%.  Each of the suspicious file indicators listed above that you actually test for correctly are worth 5% each.

Additional Notes:

Please review the find command tutorial resource from our class web page.

You should also review the filesystem Hierarchy Standard to determine the likely contents of standard directories.

A while-list of previously found suspicious files that turned out to be all right, and having the script skip them would make the reports better.  Of course you than need to manage (add new entries to the list, delete entries from the list when the file is changed or deleted) and secure the white-list itself from modification (say by a digital signature).  This is not easy to get right and is not a requirement for this project.

To be turned in:

A copy of your command/pipeline/script.

You can send as email to .  Please see your syllabus for more information about submitting projects.