Simple security check on your servers

Hello!

I suggest to make a simple security check on your servers.

The essence of verification is very simple. We switch to the user from which services are running, such as a web server or database, and look at which files in the system it can read and write. It is necessary to run from under all users, from under which work looking into the world of services. If you have never done before, the abysses may open, but do not panic and quickly correct everything.
')
I note that, for example, the Apachev user should not have rights to modify and delete Apache logs.

Happy New Year!

Linux

Read check

su -l www-data find / -type d \( -wholename '/dev/*' -o -wholename '/sys/*' -o -wholename '/proc/*' \) -prune -o -exec test -r {} \; -exec echo {} is readable \; 2>/dev/null 

Check on record

 su -l www-data find / -type d \( -wholename '/dev/*' -o -wholename '/sys/*' -o -wholename '/proc/*' \) -prune -o -exec test -w {} \; -exec echo {} is writable \; 2>/dev/null 

Freebsd

Read check

 su -m www -c /usr/local/bin/bash find / -type d \( -name dev \) -prune -o -exec test -r {} \; -exec echo {} is readable \; 2>/dev/null 

Check on record

 su -m www -c /usr/local/bin/bash find / -type d \( -name dev \) -prune -o -exec test -w {} \; -exec echo {} is writable \; 2>/dev/null 

PS
The output of these commands can be redirected to a file and then viewed by convenient means, for example

 cut -d'/' -f1,2,3 < write.out | sort -u 

UPDATE
timukas suggested that in newer versions of gnu find, you can check it even easier:

 su -l user find / ! -writable find / -writable