NAME¶
sxid
—
check for changes in s[ug]id files and
directories
SYNOPSIS¶
sxid |
[ -c,
--config file ]
[-n, --nomail ]
[-k, --spotcheck ]
[-l, --listall ]
[-h, --help ]
[-V, --version ] |
DESCRIPTION¶
sXid
checks for changes in suid and sgid
files and directories based on its last check. Logs are stored by default in
/var/log/sxid.log. The changes are then
emailed to the address specified in the configuration file. The default
location for the config file is
/etc/sxid.conf but this can be overridden
with the
--config
option and specifying an
alternate
file.
OPTIONS¶
-c,
--config
file
- Specifies an alternate configuration
file.
-n,
--nomail
- Sends output to stdout instead of emailing, useful for spot checks.
-k,
--spotcheck
- Checks for changes by recursing the current working directory. Log files
will not be rotated and no email sent. All output will go to stdout.
-l,
--listall
- Useful when doing
--spotcheck
or
--nomail
to list all files that are
logged, regardless of changes.
-h,
--help
- Display a brief help message.
-V,
--version
- Print version and exit.
OUTPUT¶
The program outputs several different checks concerning the current status of
the suid and sgid files and directories on the system on which it was run.
This is a basic overview of the format.
In the add remove section, new files are preceded by a “+”, old
ones are preceded by a “-”. Note that removed does not mean gone
from the filesystem, just that it is no longer sgid or suid.
Most of it is pretty easy to understand. On the sections that show changes in
the file's info (uid, gid, modes...) the format is old->new. So if the old
owner was “mail” and it is now “root” then it
shows it as mail->root.
The list of files in the checks is in the following format:
/full/path *user.group MODE
MODE is the 4 digit mode, as in 4755.
In the changes section, if the line is preceded by an “i” then
that item has changed inodes since the last check (regardless of any s[ug]id
change), if there is an “m” then the SHA-256 checksum has
changed.
If a user or group entry is preceded by a “*” then it's execution
bit is set (ie. *root.wheel is suid, root.*wheel is sgid, *root.*wheel is +s).
On the forbidden directories, if
ENFORCE is
enabled an “r” will precede forbidden items that were
successfully -s'd, and an “!” will show that it was
unsuccesfully -s'd (for what ever reason).
AUTHOR¶
Ben Collins
⟨bcollins@debian.org⟩
REPORTING BUGS¶
Timur Birsh ⟨taem@linukz.org⟩
SEE ALSO¶
sxid.conf(5)