Securities Software (Monitoring Tools).Linux sXid
Overview
SUID/SGID files can be a security hazard. To reduce the risks, we have previously already removed the ’s’ bits from root-owned programs that won’t absolutely require such privilege, but future and existing files may be set with these ’s’ bits enabled without your notification. sXid is an all in one suid/sgid monitoring program designed to be run from cron on a regular basis. Basically it tracks any changes in your s[ug]id files and folders. If there are any new ones, ones that aren’t set any more, or they have changed bits or other modes then it reports the changes in an easy to read format via email or on the command line. sXid will automate the task to find all SUID/SGID on your server and report them to you. Once installed you can forget it and it will do the job for you.
These installation instructions assume
Commands are Unix-compatible.
The source path is 7var/tmp” (other paths are possible).
Installations were tested on Red Hat Linux 6.1 and 6.2.
All steps in the installation will happen in super-user account “root”.
sXid version number is 4.0.1
Packages
sXid FTP Site: ftp://marcus.seva.net/pub/sxid/ You must be sure to download: sxid_4.0.1.tar.gz
Tarballs
It is a good idea to make a list of files on the system before you install sXid, and one afterwards, and then compare them using ‘diff’ to find out what file it placed where. Simply run ‘find /* > sXidi’ before and ‘find /* > sXid2′ after you install the software, and use ‘diff sXidi sXid2 > sXid-lnstalled’ to get a list of what changed.
Compilation
Decompress the tarball (tar.gz).
[root@deep /]# cp sxid_version.tar.gz /var/tmp/
[root@deep /]# cd /var/tmp
[root@deep tmp]# tar xzpf sxid_version.tar.gz
Compile and Optimize
Move into the new sXid directory and type the following commands on your terminal:
[root@deep tmp]# cd sxid-4.0.1 [root@deep sxid-4.0.1]# make install
The above commands will configure the software to ensure your system has the necessary functionality and libraries to successfully compile the package, compile all source files into executable binaries, and then install the binaries and any supporting files into the appropriate locations.
Cleanup after work
[root@deep /]# cd /var/tmp
[root@deep tmp]# rm -rf sxid-version/ sxid_version_tar.gz
The “rm” command as used above will remove all the source files we have used to compile and install sXid. It will also remove the sXid compressed archive from the 7var/tmp” directory.