Check SUID/SGID program Audit rules

Here's an interesting BASH script that checks that all SUID/SGID files have a corresponding audit rule. Useful if you work in an environment where you are required to periodically perform this check, and like all good (lazy) sysadmins, wish you had a script to automate this task...

#!/bin/bash

for i in `lsblk --output MOUNTPOINT | grep /`
do 
 for j in `find ${i} -xdev -type f \( -perm -4000 -o -perm -2000 \)`
 do
   if [ "$(grep -c ${j} /etc/audit/audit.rules)" -ge 1 ]; then
    # If there is a rule...do nothing?
    echo "" > /dev/null
   else
    echo "suid/sgid program ${j} - NO audit rule!"
   fi
 done
done

exit 0