7.10 The setuid log
Cfengine is always on the lookout for files which are setuid or setgid
root. It doesn't go actively looking for them uninvited, but whenever
you get cfagent to check a file or directory with the files feature,
it will make a note of setuid programs it finds there. These are
recorded in the file cfengine.host.log which is stored under
/var/cfengine or /var/log/cfengine.
When new setuid programs are discovered, a warning is printed, but only
if you are root. If you ever want a complete list, delete the log
file and cfengine will think that all of the setuid programs it finds
are new. The log file is not readable by normal users.