From fce418044af4a01b3a71e4e696a2abd93a71758c Mon Sep 17 00:00:00 2001
From: stef <stef@zen6.info>
Date: Mon, 20 Apr 2026 16:06:42 +0200
Subject: [PATCH] Actualiser README.md

---
 README.md | 280 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 280 insertions(+)

diff --git a/README.md b/README.md
index 65f3199..61d5178 100644
--- a/README.md
+++ b/README.md
@@ -98,3 +98,283 @@ sudo crontab -e
 }
 ```
 
+### Exemple d'execution
+```
+root@bv01:~# /usr/local/bin/audit-suid.py
+================================================================================
+SUID/SGID Security Audit Tool - Linux Privilege Scanner
+Début de l'audit: 2026-04-20 13:55:09
+================================================================================
+2026-04-20 13:55:09,631 - INFO - Liste blanche chargée: 20 SUID, 8 SGID
+2026-04-20 13:55:09,631 - INFO - Début de l'audit depuis /
+2026-04-20 13:55:09,686 - INFO - Progression: 10000 fichiers parcourus...
+2026-04-20 13:55:09,736 - INFO - Progression: 20000 fichiers parcourus...
+2026-04-20 13:55:09,786 - INFO - Progression: 30000 fichiers parcourus...
+2026-04-20 13:55:09,858 - INFO - Progression: 40000 fichiers parcourus...
+2026-04-20 13:55:09,919 - INFO - Progression: 50000 fichiers parcourus...
+2026-04-20 13:55:09,981 - INFO - Progression: 60000 fichiers parcourus...
+2026-04-20 13:55:10,036 - WARNING - [ALERTE SUID] /usr/libexec/spice-client-glib-usb-acl-helper (propriétaire: root, groupe: root)
+2026-04-20 13:55:10,038 - WARNING - [ALERTE SUID] /usr/sbin/mount.cifs (propriétaire: root, groupe: root)
+2026-04-20 13:55:10,039 - WARNING - [ALERTE SGID] /usr/sbin/pam_extrausers_chkpwd (propriétaire: root, groupe: shadow)
+2026-04-20 13:55:10,039 - WARNING - [ALERTE SGID] /usr/sbin/unix_chkpwd (propriétaire: root, groupe: shadow)
+2026-04-20 13:55:10,041 - WARNING - [ALERTE SUID] /usr/sbin/pppd (propriétaire: root, groupe: dip)
+2026-04-20 13:55:10,042 - INFO - Progression: 70000 fichiers parcourus...
+2026-04-20 13:55:10,056 - INFO - [OK SGID] /usr/bin/chage
+2026-04-20 13:55:10,057 - WARNING - [ALERTE SUID] /usr/bin/fusermount3 (propriétaire: root, groupe: root)
+2026-04-20 13:55:10,057 - INFO - [OK SGID] /usr/bin/expiry
+2026-04-20 13:55:10,058 - INFO - [OK SGID] /usr/bin/ssh-agent
+2026-04-20 13:55:10,058 - INFO - [OK SUID] /usr/bin/chfn
+2026-04-20 13:55:10,059 - INFO - [OK SUID] /usr/bin/passwd
+2026-04-20 13:55:10,059 - INFO - [OK SUID] /usr/bin/gpasswd
+2026-04-20 13:55:10,059 - INFO - [OK SUID] /usr/bin/umount
+2026-04-20 13:55:10,060 - INFO - [OK SUID] /usr/bin/chsh
+2026-04-20 13:55:10,060 - INFO - [OK SUID] /usr/bin/pkexec
+2026-04-20 13:55:10,060 - WARNING - [ALERTE SUID] /usr/bin/su (propriétaire: root, groupe: root)
+2026-04-20 13:55:10,061 - WARNING - [ALERTE SUID] /usr/bin/newgidmap (propriétaire: root, groupe: root)
+2026-04-20 13:55:10,061 - WARNING - [ALERTE SGID] /usr/bin/crontab (propriétaire: root, groupe: crontab)
+2026-04-20 13:55:10,061 - WARNING - [ALERTE SUID] /usr/bin/newuidmap (propriétaire: root, groupe: root)
+2026-04-20 13:55:10,062 - INFO - [OK SUID] /usr/bin/sudo
+2026-04-20 13:55:10,062 - INFO - [OK SUID] /usr/bin/newgrp
+2026-04-20 13:55:10,063 - INFO - [OK SUID] /usr/bin/mount
+2026-04-20 13:55:10,066 - INFO - [OK SUID] /usr/lib/dbus-1.0/dbus-daemon-launch-helper
+2026-04-20 13:55:10,069 - WARNING - [ALERTE SUID] /usr/lib/cockpit/cockpit-session (propriétaire: root, groupe: cockpit-wsinstance)
+2026-04-20 13:55:10,102 - INFO - Progression: 80000 fichiers parcourus...
+2026-04-20 13:55:10,108 - WARNING - [ALERTE SUID] /usr/lib/polkit-1/polkit-agent-helper-1 (propriétaire: root, groupe: root)
+2026-04-20 13:55:10,125 - WARNING - [ALERTE SGID] /usr/lib/x86_64-linux-gnu/utempter/utempter (propriétaire: root, groupe: utmp)
+2026-04-20 13:55:10,136 - INFO - [OK SUID] /usr/lib/openssh/ssh-keysign
+2026-04-20 13:55:10,164 - INFO - Progression: 90000 fichiers parcourus...
+2026-04-20 13:55:10,231 - INFO - Progression: 100000 fichiers parcourus...
+2026-04-20 13:55:10,295 - INFO - Progression: 110000 fichiers parcourus...
+2026-04-20 13:55:10,358 - INFO - Progression: 120000 fichiers parcourus...
+2026-04-20 13:55:10,425 - INFO - Progression: 130000 fichiers parcourus...
+2026-04-20 13:55:10,492 - INFO - Progression: 140000 fichiers parcourus...
+2026-04-20 13:55:10,548 - INFO - Progression: 150000 fichiers parcourus...
+2026-04-20 13:55:10,592 - INFO - Progression: 160000 fichiers parcourus...
+2026-04-20 13:55:10,661 - INFO - Progression: 170000 fichiers parcourus...
+2026-04-20 13:55:10,719 - INFO - Progression: 180000 fichiers parcourus...
+2026-04-20 13:55:10,803 - INFO - Progression: 190000 fichiers parcourus...
+2026-04-20 13:55:10,844 - WARNING - [ALERTE SUID] /home/stef/fake_malware (propriétaire: root, groupe: root)
+2026-04-20 13:55:10,844 - WARNING - [ALERTE SGID] /home/stef/fake_malware (propriétaire: root, groupe: root)
+2026-04-20 13:55:10,879 - INFO - Progression: 200000 fichiers parcourus...
+2026-04-20 13:55:10,965 - INFO - Progression: 210000 fichiers parcourus...
+2026-04-20 13:55:11,032 - INFO - Progression: 220000 fichiers parcourus...
+2026-04-20 13:55:11,103 - INFO - Progression: 230000 fichiers parcourus...
+2026-04-20 13:55:11,194 - INFO - Progression: 240000 fichiers parcourus...
+2026-04-20 13:55:11,278 - INFO - Progression: 250000 fichiers parcourus...
+2026-04-20 13:55:11,360 - INFO - Progression: 260000 fichiers parcourus...
+2026-04-20 13:55:11,419 - INFO - Progression: 270000 fichiers parcourus...
+2026-04-20 13:55:13,947 - INFO - Progression: 280000 fichiers parcourus...
+2026-04-20 13:55:24,686 - INFO - Progression: 290000 fichiers parcourus...
+2026-04-20 13:55:30,602 - INFO - Audit terminé. 296764 fichiers parcourus.
+2026-04-20 13:55:30,602 - INFO - Vérification des répertoires temporaires...
+2026-04-20 13:55:30,603 - INFO - Recherche des fichiers orphelins...
+2026-04-20 13:55:51,232 - INFO - Rapport texte généré: /var/log/audit/report_20260420_135509.txt
+2026-04-20 13:55:51,232 - INFO - Rapport JSON généré: /var/log/audit/audit_20260420_135509.json
+2026-04-20 13:55:51,232 - INFO - Rapport CSV généré: /var/log/audit/audit_20260420_135509.csv
+2026-04-20 13:55:51,232 - INFO - Alertes sauvegardées: /var/log/audit/alerts_20260420_135509.txt
+
+================================================================================
+RÉSUMÉ DE L'AUDIT
+================================================================================
+Log complet: /var/log/audit/audit_20260420_135509.log
+Rapport détaillé: /var/log/audit/report_20260420_135509.txt
+Rapport JSON: /var/log/audit/audit_20260420_135509.json
+Rapport CSV: /var/log/audit/audit_20260420_135509.csv
+Alertes: /var/log/audit/alerts_20260420_135509.txt
+Whitelist: /etc/audit/suid_whitelist.json
+
+⚠️  ATTENTION: 15 anomalie(s) détectée(s) !
+   - SUID suspects: 10
+   - SGID suspects: 5
+   - Orphelins: 0
+Consultez les rapports pour plus de détails
+```
+
+```json
+{
+  "metadata": {
+    "timestamp": "2026-04-20T13:55:51.230720",
+    "hostname": "bv01",
+    "system": "Linux 6.8.0-110-generic",
+    "total_files_audited": 29,
+    "total_alerts": 15
+  },
+  "alerts": [
+    {
+      "path": "/usr/libexec/spice-client-glib-usb-acl-helper",
+      "type": "SUID",
+      "permissions": "-rwsr-xr-x",
+      "owner": "root",
+      "group": "root",
+      "size": 22680,
+      "size_human": "22.15 KB",
+      "mtime": "2024-04-01 04:49:34",
+      "hash_md5": "a26efa9f0fc6fe4b5a8f117c5aa4293b",
+      "is_whitelisted": false,
+      "alert_level": "WARNING"
+    },
+    {
+      "path": "/usr/sbin/mount.cifs",
+      "type": "SUID",
+      "permissions": "-rwsr-xr-x",
+      "owner": "root",
+      "group": "root",
+      "size": 52296,
+      "size_human": "51.07 KB",
+      "mtime": "2025-06-11 04:07:20",
+      "hash_md5": "8ee15c6c7135adc98ee4002b1ba3553e",
+      "is_whitelisted": false,
+      "alert_level": "WARNING"
+    },
+...
+...
+    {
+      "path": "/home/stef/fake_malware",
+      "type": "SGID",
+      "permissions": "-rwSr-Sr--",
+      "owner": "root",
+      "group": "root",
+      "size": 0,
+      "size_human": "0 B",
+      "mtime": "2026-04-20 09:12:39",
+      "hash_md5": "d41d8cd98f00b204e9800998ecf8427e",
+      "is_whitelisted": false,
+      "alert_level": "WARNING"
+    }
+  ],
+  "all_files": [
+    {
+      "path": "/usr/libexec/spice-client-glib-usb-acl-helper",
+      "type": "SUID",
+      "permissions": "-rwsr-xr-x",
+      "owner": "root",
+      "group": "root",
+      "size": 22680,
+      "size_human": "22.15 KB",
+      "mtime": "2024-04-01 04:49:34",
+      "hash_md5": "a26efa9f0fc6fe4b5a8f117c5aa4293b",
+      "is_whitelisted": false,
+      "alert_level": "WARNING"
+    },
+    {
+      "path": "/usr/sbin/mount.cifs",
+      "type": "SUID",
+      "permissions": "-rwsr-xr-x",
+      "owner": "root",
+      "group": "root",
+      "size": 52296,
+      "size_human": "51.07 KB",
+      "mtime": "2025-06-11 04:07:20",
+      "hash_md5": "8ee15c6c7135adc98ee4002b1ba3553e",
+      "is_whitelisted": false,
+      "alert_level": "WARNING"
+    },
+    {
+      "path": "/usr/sbin/pam_extrausers_chkpwd",
+      "type": "SGID",
+      "permissions": "-rwxr-sr-x",
+      "owner": "root",
+      "group": "shadow",
+      "size": 26944,
+      "size_human": "26.31 KB",
+      "mtime": "2025-09-15 12:37:15",
+      "hash_md5": "c1259cf8990be810f3cfc0d56b914e74",
+      "is_whitelisted": false,
+      "alert_level": "WARNING"
+    },
+    {
+      "path": "/usr/sbin/unix_chkpwd",
+      "type": "SGID",
+      "permissions": "-rwxr-sr-x",
+      "owner": "root",
+      "group": "shadow",
+      "size": 31040,
+      "size_human": "30.31 KB",
+      "mtime": "2025-09-15 12:37:15",
+      "hash_md5": "25a6c140f22aa0a844f94b864d8a7c38",
+      "is_whitelisted": false,
+      "alert_level": "WARNING"
+    },
+    {
+      "path": "/usr/sbin/pppd",
+      "type": "SUID",
+      "permissions": "-rwsr-xr--",
+      "owner": "root",
+      "group": "dip",
+      "size": 420416,
+      "size_human": "410.56 KB",
+      "mtime": "2024-04-03 17:56:59",
+      "hash_md5": "0b977dc339d7b04e1e2d6cfa6c290da7",
+      "is_whitelisted": false,
+      "alert_level": "WARNING"
+    },
+    {
+      "path": "/usr/bin/chage",
+      "type": "SGID",
+      "permissions": "-rwxr-sr-x",
+      "owner": "root",
+      "group": "shadow",
+      "size": 72184,
+      "size_human": "70.49 KB",
+      "mtime": "2024-05-30 14:52:35",
+      "hash_md5": "",
+      "is_whitelisted": true,
+      "alert_level": "INFO"
+    },
+    {
+      "path": "/usr/bin/fusermount3",
+      "type": "SUID",
+      "permissions": "-rwsr-xr-x",
+      "owner": "root",
+      "group": "root",
+      "size": 39296,
+      "size_human": "38.38 KB",
+      "mtime": "2024-04-08 15:57:57",
+      "hash_md5": "3498b3d1d373f876ff0d6a4551e01c21",
+      "is_whitelisted": false,
+      "alert_level": "WARNING"
+    },
+    {
+      "path": "/usr/bin/expiry",
+      "type": "SGID",
+      "permissions": "-rwxr-sr-x",
+      "owner": "root",
+      "group": "shadow",
+      "size": 27152,
+      "size_human": "26.52 KB",
+      "mtime": "2024-05-30 14:52:35",
+      "hash_md5": "",
+      "is_whitelisted": true,
+      "alert_level": "INFO"
+    },
+    {
+      "path": "/usr/bin/ssh-agent",
+      "type": "SGID",
+      "permissions": "-rwxr-sr-x",
+      "owner": "root",
+      "group": "_ssh",
+      "size": 309688,
+      "size_human": "302.43 KB",
+      "mtime": "2026-03-04 17:55:04",
+      "hash_md5": "",
+      "is_whitelisted": true,
+      "alert_level": "INFO"
+    },
+...
+...
+    {
+      "path": "/home/stef/fake_malware",
+      "type": "SGID",
+      "permissions": "-rwSr-Sr--",
+      "owner": "root",
+      "group": "root",
+      "size": 0,
+      "size_human": "0 B",
+      "mtime": "2026-04-20 09:12:39",
+      "hash_md5": "d41d8cd98f00b204e9800998ecf8427e",
+      "is_whitelisted": false,
+      "alert_level": "WARNING"
+    }
+  ]
+}
+```