Securities Software (Monitoring Tools).Linux sXid
Configurations
All software we describe in this book has a specific directory and subdirectory in a tar compressed archive named “floppy.tgz” containing file configurations for the specific program. If you get this archive file, you wouldn’t be obliged to reproduce the different configuration files below manually or cut and paste them to create your configuration files. Whether you decide to copy manually or get the files made for your convenience from the archive compressed files, it will be to your responsibility to modify them to adjust for your needs, and place the files related to sXid software to the appropriate places on your server, as shown below. The server configuration file archive to download is located at the following Internet address: http://www.openna.com/books/floppv.tgz
• To run sXid, the following file is required and must be created or copied to the appropriate directory on your server.
Copy the sxid.conf file to the “/etc/” directory.
You can obtain the configuration files listed below on our floppy.tgz archive. Copy the following files from the decompressed floppy.tgz archive to their appropriate places or copy and paste them directly from this book to the concerned file.
Configure the “/etc/sxid.conf file
The configuration file for sXid (”/etc/sxid.conf”) allows you to set options that modify the operation of the program. It is well commented and very basic.
Stepi
Edit the sxid.conf file (vi /etc/sxid.conf) and set your needs:
# Configuration file for sXid
# Note that all directories must be absolute with no trailing /’s
# Where to begin our file search
SEARCH = “/”
# Which subdirectories to exclude from searching
EXCLUDE = “/proc /mnt /cdrom /floppy”
# Who to send reports to
EMAIL = “root”
# Always send reports, even when there are no changes?
ALWAYS_NOTIFY = “no”
# Where to keep interim logs. This will rotate ‘x’ number of
# times based on KEEPJ.OGS below
LOG_FILE = “/var/log/sxid.log”
# How many logs to keep
KEEP LOGS = “5″
# Rotate the logs even when there are no changes?
ALWAYS_ROTATE = “no”
# Directories where +s is forbidden (these are searched
# even if not explicitly in SEARCH), EXCLUDE rules apply
FORBIDDEN = “/home ftmp”
# Remove (-s) files found in forbidden directories?
ENFORCE = “yes”
# This implies ALWAYS_NOTIFY. It will send a full list of
# entries along with the changes
LISTALL = “no”
# Ignore entries for directories in these paths
# (this means that only files will be recorded, you
# can effectively ignore all directory entries by
# setting this to”/”). The default is /home since
# some systems have /home g+s.
IGNORE_DIRS = “/home”
# File that contains a list of (each on it’s own line)
# of other files that sxid should monitor. This is useful
# for files that aren’t +s, but relate to system
# integrity (tcpd, inetd, apache…).
# EXTRAJJST = “/etc/sxid.list”
# Mail program. This changes the default compiled in
# mailer for reports. You only need this if you have changed
# it’s location and don’t want to recompile sxid.
# MAIL PROG = 7usr/bin/mail”