I'm looking for a way to periodically check a file system tree for permissions that have been set incorrectly.
The context is:
- this is in an academic compute environment, with students, researchers and overworked sysadmins
- the focus is not on malicious actors, but rather mistakes made by any of the above
- existing users/group hierarchy
- prevention does not have to be immediate, we're thinking of something that can run daily
- ideally don't want to have to install extra tools such as tripwire
- don't need a forensic trail to be captured
My hunch is a script that:
- runs daily via cron
- runs as a user with read permissions for the entire tree
- checks that rwx is off for the "all" bits.. (more rules to be added)
Before I start this, is there an established way to do this that I'm not aware of?