Home|Cudeso|Linux|*NIX / BSD|Misc|

suid/guid tool


1. Introduction

2. Useful resources

3. Getting the package

4. Install

5. Configuration

6. CronJob

7. Further information

1. Introduction

SUID/SGID files can be a real security hazard. To reduce the risk, you could manually remove the 's' bits from root-owned programs that don't require such privilege, but future files may be set with these 's' bits enabled without your notification.

sXid is an all-in-one suid/sgid monitoring progam designed to be run from a cron-job. Basically it tracks changes in your s[ug]id files and folders. If one of your users (or maybe you) have installed a new package or changed bits or other modes then it reports the changes in an easy understandable format. The reports can be send by e-mail or to the command-line.

2. Useful resources

Freshmeat - http://freshmeat.net/projects/sxid/
FTP-site - ftp://marcus.seva.net/pub/sxid/

Ben Collins - Author of sXid

3. Getting the package

Off course, before you could setup sXid it could come in handy that you download the package. So, point your ftp-client to ftp://marcus.seva.net/pub/sxid/ and get the latest release. (The latest release I found was 4.0.1)

4. Install

First step is to untar the package.
tar zxvf sxid_4.0.1.tar.gz
When no errors occured there should now be a directory with the source-files. Navigate to this directory. Next thing is to run the configure script (make sure you've to the autoconf-package installed, this should normally be installed with all latest distributions).
I've added the --sysconfdir option (regards to Ben Collins) to specify in which directory sXid needs to find his configuration file. By default, RedHat distro's place their configuration file in /etc so this would be a nice place to put sxid.conf.
./configure --sysconfdir=/etc
When no major errors occur you can now start making the necessary files with
make install
After this, there is a sxid in /usr/local/bin.

5. Configuration

sXid uses one configuration file sxid.conf.

When you've run the configure script without further options this is placed in /usr/local/etc/ otherwise it's in the directory you specified.

With the settings in the configuration file, you can adjust sXid to your personal needs.

  • SEARCH="/"
    This settings allows you to give sXid a starting point. Normally this will be the base-directory of your filesystem but you can choose whatever you want (as long as it exists off course).

  • EXCLUDE="/proc /mnt /cdrom /floppy"
    Here you can insert some directories that need to be skipped from the scan.

  • EMAIL="root"
    Who do we need to send the report?

    Does sXid needs to send a report even when there are no changes found?

  • LOG_FILE="/var/log/sxid.log"
    Where to keep the log-files. I prefer to save them in the default /var/log/ location

  • KEEP_LOGS="5"
    How many times do we need to rotate?

    Do we need to rotate even when there are no changes?

  • FORBIDDEN="/home /tmp"
    With this you can insert some directories where it is absolutely forbidden to have +s-files.

  • ENFORCE="no"
    Remove all +s-files found in the forbidden directories. I prefer not to let this be done by sXid but rather remove them myself.

  • LISTALL="no"
    This will send a full list of all entries along with the changes (also implies ALWAYS_NOTIFY).

  • IGNORE_DIRS="/home"
    Ignore these directories in the entries.

  • EXTRA_LIST="/etc/sxid.extra.list"
    By this you can specify a file with extra files that need to be monitored from sXid. This can for example be sshd, xinetd, pppd, tcpd.

  • MAIL_PROG="/usr/bin/mail"
    In case you have removed the default mailer you can specify it here.

That's all for the configuration file. Save your settings now.

6. Cron-job

I've set up sXid so that it is run every night at 5:30 as a cron-job. To do this, you need tho alter the /etc/crontab file with your editor.

Insert a line like below :
30 5 * * * root /usr/local/bin/sxid
Now save your crontab file and this would be all.

7. Further information

You can find further information in the man pages for both sxid.conf and sxid.

These are the files that are installed :
  • /etc/sxid.conf
  • /usr/local/bin/sxid
  • /usr/man/man1/sxid.1
  • /usr/man/man5/sxid.conf
Copyleft 2002-2007 - cudeso.bewebmaster@cudeso.betop