I'm currently testing auditd with rules for setuid or setgid binaries on
the system.
I currently maintain the list via find, and pushing the results to a
audit.rules file.
I'm hoping there's a cleaner way, perhaps by triggering on the
appropriate syscall -- but have not discovered it.
Is there an easier method?