Man page - sxid(1)

Packages contains this manual

Package:  sxid
apt-get install sxid

Manuals in package:
• sxid.conf(5)
• sxid(1)
Documentations in package:
• sxid

Manual

---

SXID (1) General Commands Manual SXID (1)

NAME

sxid — check for changes in s[ug]id files and directories

SYNOPSIS

sxid [ -c, --config file ] [ -n, --nomail ] [ -k, --spotcheck ] [ -l, --listall ] [ -h, --help ] [ -V, --version ]

DESCRIPTION

sXid checks for changes in suid and sgid files and directories based on its last check. Logs are stored by default in /var/log/sxid.log . The changes are then emailed to the address specified in the configuration file. The default location for the config file is /etc/sxid.conf but this can be overridden with the --config option and specifying an alternate file .

OPTIONS
-c, --config file

Specifies an alternate configuration file .

-n, --nomail

Sends output to stdout instead of emailing, useful for spot checks.

-k, --spotcheck

Checks for changes by recursing the current working directory. Log files will not be rotated and no email sent. All output will go to stdout.

-l, --listall

Useful when doing --spotcheck or --nomail to list all files that are logged, regardless of changes.

-h, --help

Display a brief help message.

-V, --version

Print version and exit.

OUTPUT

The program outputs several different checks concerning the current status of the suid and sgid files and directories on the system on which it was run. This is a basic overview of the format.

In the add remove section, new files are preceded by a “+”, old ones are preceded by a “-”. Note that removed does not mean gone from the filesystem, just that it is no longer sgid or suid.

Most of it is pretty easy to understand. On the sections that show changes in the file’s info (uid, gid, modes...) the format is old->new. So if the old owner was “mail” and it is now “root” then it shows it as mail->root.

The list of files in the checks is in the following format:

/full/path *user.group MODE

MODE is the 4 digit mode, as in 4755.

In the changes section, if the line is preceded by an “i” then that item has changed inodes since the last check (regardless of any s[ug]id change), if there is an “m” then the SHA-256 checksum has changed.

If a user or group entry is preceded by a “*” then it’s execution bit is set (ie. *root.wheel is suid, root.*wheel is sgid, *root.*wheel is +s).

On the forbidden directories, if ENFORCE is enabled an “r” will precede forbidden items that were successfully -s’d, and an “

! ” will show that it was unsuccessfully -s’d (for what ever reason).

AUTHOR

Ben Collins <bcollins@debian.org>

REPORTING BUGS

Timur Birsh <taem@linukz.org>

SEE ALSO

sxid.conf (5) Debian July 29, 2013 SXID (1)

---