Provided by: sxid_4.20130802-1ubuntu2_amd64
NAME
sxid — check for changes in s[ug]id files and directories
SYNOPSIS
sxid [-c, --config file] [-n, --nomail] [-k, --spotcheck] [-l, --listall] [-h, --help] [-V, --version]
DESCRIPTION
sXid checks for changes in suid and sgid files and directories based on its last check. Logs are stored by default in /var/log/sxid.log. The changes are then emailed to the address specified in the configuration file. The default location for the config file is /etc/sxid.conf but this can be overridden with the --config option and specifying an alternate file.
OPTIONS
-c, --config file Specifies an alternate configuration file. -n, --nomail Sends output to stdout instead of emailing, useful for spot checks. -k, --spotcheck Checks for changes by recursing the current working directory. Log files will not be rotated and no email sent. All output will go to stdout. -l, --listall Useful when doing --spotcheck or --nomail to list all files that are logged, regardless of changes. -h, --help Display a brief help message. -V, --version Print version and exit.
OUTPUT
The program outputs several different checks concerning the current status of the suid and sgid files and directories on the system on which it was run. This is a basic overview of the format. In the add remove section, new files are preceded by a “+”, old ones are preceded by a “-”. Note that removed does not mean gone from the filesystem, just that it is no longer sgid or suid. Most of it is pretty easy to understand. On the sections that show changes in the file's info (uid, gid, modes...) the format is old->new. So if the old owner was “mail” and it is now “root” then it shows it as mail->root. The list of files in the checks is in the following format: /full/path *user.group MODE MODE is the 4 digit mode, as in 4755. In the changes section, if the line is preceded by an “i” then that item has changed inodes since the last check (regardless of any s[ug]id change), if there is an “m” then the SHA-256 checksum has changed. If a user or group entry is preceded by a “*” then it's execution bit is set (ie. *root.wheel is suid, root.*wheel is sgid, *root.*wheel is +s). On the forbidden directories, if ENFORCE is enabled an “r” will precede forbidden items that were successfully -s'd, and an “!” will show that it was unsuccesfully -s'd (for what ever reason).
AUTHOR
Ben Collins <bcollins@debian.org>
REPORTING BUGS
Timur Birsh <taem@linukz.org>
SEE ALSO
sxid.conf(5)