SUID/SGID files can be a real security hazard. To reduce the risk, you could manually remove
the 's' bits from root-owned programs that don't require such privilege, but future files
may be set with these 's' bits enabled without your notification.
sXid is an all-in-one suid/sgid monitoring progam designed to be run from a cron-job.
Basically it tracks changes in your s[ug]id files and folders. If one of your users (or maybe you)
have installed a new package or changed bits or other modes then it reports the changes
in an easy understandable format. The reports can be send by e-mail or to the command-line.
Freshmeat - http://freshmeat.net/projects/sxid/
FTP-site - ftp://marcus.seva.net/pub/sxid/
Ben Collins - Author of sXid
Off course, before you could setup sXid it could come in handy that you download the package.
So, point your ftp-client to ftp://marcus.seva.net/pub/sxid/ and get the latest release.
(The latest release I found was 4.0.1)
First step is to untar the package.
tar zxvf sxid_4.0.1.tar.gz
When no errors occured there should now be a directory with the source-files. Navigate to this
Next thing is to run the configure script (make sure you've to the
autoconf-package installed, this should normally be installed with all latest distributions).
I've added the --sysconfdir option
(regards to Ben Collins) to specify in which directory
sXid needs to find his configuration file. By default, RedHat distro's place their
configuration file in /etc so this would be a nice place to put sxid.conf.
When no major errors occur you can now start making the necessary files with
After this, there is a sxid in
sXid uses one configuration file sxid.conf.
When you've run the configure script without further options this is placed in /usr/local/etc/
otherwise it's in the directory you specified.
With the settings in the configuration file, you can adjust sXid to your personal needs.
That's all for the configuration file. Save your settings now.
I've set up sXid so that it is run every night at 5:30 as a cron-job.
To do this, you need tho alter the /etc/crontab file with your editor.
This settings allows you to give sXid a starting point. Normally this will be the base-directory
of your filesystem but you can choose whatever you want (as long as it exists off course).
- EXCLUDE="/proc /mnt /cdrom /floppy"
Here you can insert some directories that need to be skipped from the scan.
Who do we need to send the report?
Does sXid needs to send a report even when there are no changes found?
Where to keep the log-files. I prefer to save them in the default /var/log/ location
How many times do we need to rotate?
Do we need to rotate even when there are no changes?
- FORBIDDEN="/home /tmp"
With this you can insert some directories where it is absolutely forbidden to have +s-files.
Remove all +s-files found in the forbidden directories. I prefer not to let this be done by sXid but
rather remove them myself.
This will send a full list of all entries along with the changes (also implies ALWAYS_NOTIFY).
Ignore these directories in the entries.
By this you can specify a file with extra files that need to be monitored from sXid.
This can for example be sshd, xinetd, pppd, tcpd.
In case you have removed the default mailer you can specify it here.
Insert a line like below :
30 5 * * * root /usr/local/bin/sxid
Now save your crontab file and this would be all.
You can find further information in the man pages for both sxid.conf
These are the files that are installed :