ncheck -s /dev/root | xargs ls -ld | cut -f2 | grep -v ~/dev/ ls -l '/etc/ncheck -s /dev/root | cut -f2 | grep -v dev'The ncheck(1M) command, by itself, can be used on a mounted or unmounted file system. Only the superuser may use ncheck. The normal output of the ncheck -s command includes special files. Here, the grep command removes device files from the output. This filtering is applicable only for the root filesystem. The output of the modified ncheck is then used as an argument to the ls command. The filesystem must be mounted for the ls command to succeed. In this example output, nothing looks suspicious:
-r-sr-xr-x 1 root bin 12524 Aug 11 01:27 /bin/df -rwxr-sr-x 1 root sys 32272 Aug 10 15:53 /bin/ipcs -r-xr-sr-x 2 bin mail 32852 Aug 11 01:28 /bin/mail -r-sr-xr-x 1 root sys 11416 Aug 11 01:26 /bin/mkdir -rwsr-xr-x 1 root sys 21780 Aug 11 01:27 /bin/newgrp -r-sr-sr-x 1 root sys 23000 Aug 11 01:27 /bin/passwd -r-xr-sr-x 1 bin sys 27964 Aug 11 01:28 /bin/ps -r-xr-sr-x 2 bin mail 32852 Aug 11 01:28 /bin/rmail -r-sr-xr-x 1 root sys 11804 Aug 11 01:26 /bin/rmdir -r-sr-xr-x 1 root sys 23824 Aug 11 01:27 /bin/su -r-xr-sr-x 1 bin sys 21212 Aug 10 16:08 /etc/whodoFor XFS filesystems, use the find command:
find / -perm -4000 -print