sXid by Ben Collins <firstname.lastname@example.org>
##### LICENSE #####
sxid - suid, sgid file and directory checking
Copyright (C) 1999, 2000, 2002 Ben Collins <email@example.com>
This is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as
published by the Free Software Foundation; either version 2,
or (at your option) any later version.
This is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public
License along with sxid; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
##### End LICENSE #####
This program is meant to run as a cronjob. I have it run once a day, but
busy shell boxes may want to run it twice a day. Basically it tracks any
changes in your s[ug]id files and folders. If there are any new ones,
ones that aren't set any more, or they have changed bits or other modes
then it reports the changes. You can also run this manually for spot
It also tracks s[ug]id files by md5 checksums. This helps detect if a root
kit has been installed which would not show under normal name and
permissions checking. Directories are tracked by inodes.
To install, set the options in sxid.conf (/etc/sxid.conf when installed)
and add an entry in root's crontab (it needs root permission to check ALL
files and folders). All log files are created mode 600 so no one will be
able to get a list.
NOTES on reading the output:
- In the add remove section, new files are preceded by a '+', old ones
are preceded by a '-' NOTE: that removed does not mean gone from the
filesystem, just that it is no longer sgid or suid.
- Most of it is pretty easy to understand. On the sections that show
changes in the file's info (uid, gid, modes...) the format is
old->new. So if the old owner was 'mail' and it is now 'root' then it
shows it as mail->root.
- The list of files in the checks is in the following format:
/full/path *user.group MODE
MODE is the 4 digit mode, as in 4755.
In the changes section, if the line is preceded by an 'i' then that
item has changed inodes since the last check (regardless of any
s[ug]id change), if there is an 'm' then the md5sum has changed.
- If a user or group entry is preceded by a '*' then that is +s
(ie. *root.wheel is suid, root.*wheel is sgid, *root.*wheel is +s)
- On the forbidden directories, it enfore is enabled a 'r' will precede
forbidden items that were succesfully -s'd, and a '!' will show that
the was unsuccesfully -s'd (for what ever reason.
To install sXid simply (requires GNU make):
This will configure and compile the program then install it into /usr/bin
by default, it also places the sxid.conf file into /etc. You should edit
the conf file, it is well commented and very basic so no worries.
Alternatively you can run ./configure manually with any options you may
wish (./configure --help for options) then run 'make install'
Afterwards place an entry into root's crontab. You can use the
line in docs/sxid.cron.example.
sXid is known to compile on these platforms:
* Solaris 2.7/2.6/2.5.1x)
* Linux GLIBC 2.0/2.1 and Libc5 on kernels 2.0.x to 2.2.x
* AIX 4.x (and possibly 3.x)
* HP/UX (Peter Sulecki <firstname.lastname@example.org>)
* Tru64 UNIX (Marc Baudoin <email@example.com>)
It should compile on others as well, let me know or send me patches that
you used to get it to work.
NOTE: If you were using any version prior to 3.2.4 you need to archive and
remove the old logs since they aren't compatible with this version and
will cause improbable errors in the output.
Report bugs to current maintainer Timur Birsh <firstname.lastname@example.org>.
Latest version can be found at http://linukz.org/sxid.shtml.