Provided by: sxid_4.20130802-1ubuntu2_amd64 bug

NAME

     sxid — check for changes in s[ug]id files and directories

SYNOPSIS

     sxid [-c, --config file] [-n, --nomail] [-k, --spotcheck] [-l, --listall] [-h, --help]
          [-V, --version]

DESCRIPTION

     sXid checks for changes in suid and sgid files and directories based on its last check. Logs
     are stored by default in /var/log/sxid.log.  The changes are then emailed to the address
     specified in the configuration file. The default location for the config file is
     /etc/sxid.conf but this can be overridden with the --config option and specifying an
     alternate file.

OPTIONS

     -c, --config file
             Specifies an alternate configuration file.

     -n, --nomail
             Sends output to stdout instead of emailing, useful for spot checks.

     -k, --spotcheck
             Checks for changes by recursing the current working directory. Log files will not be
             rotated and no email sent. All output will go to stdout.

     -l, --listall
             Useful when doing --spotcheck or --nomail to list all files that are logged,
             regardless of changes.

     -h, --help
             Display a brief help message.

     -V, --version
             Print version and exit.

OUTPUT

     The program outputs several different checks concerning the current status of the suid and
     sgid files and directories on the system on which it was run. This is a basic overview of
     the format.

     In the add remove section, new files are preceded by a “+”, old ones are preceded by a “-”.
     Note that removed does not mean gone from the filesystem, just that it is no longer sgid or
     suid.

     Most of it is pretty easy to understand. On the sections that show changes in the file's
     info (uid, gid, modes...) the format is old->new. So if the old owner was “mail” and it is
     now “root” then it shows it as mail->root.

     The list of files in the checks is in the following format:

     /full/path   *user.group   MODE

     MODE is the 4 digit mode, as in 4755.

     In the changes section, if the line is preceded by an “i” then that item has changed inodes
     since the last check (regardless of any s[ug]id change), if there is an “m” then the SHA-256
     checksum has changed.

     If a user or group entry is preceded by a “*” then it's execution bit is set (ie.
     *root.wheel is suid, root.*wheel is sgid, *root.*wheel is +s).

     On the forbidden directories, if ENFORCE is enabled an “r” will precede forbidden items that
     were successfully -s'd, and an “!”  will show that it was unsuccesfully -s'd (for what ever
     reason).

AUTHOR

     Ben Collins <bcollins@debian.org>

REPORTING BUGS

     Timur Birsh <taem@linukz.org>

SEE ALSO

     sxid.conf(5)