Provided by: sxid_4.20130802-7_amd64 bug

NAME
       sxid — check for changes in s[ug]id files and directories


SYNOPSIS
       sxid [-c, --config file] [-n, --nomail] [-k, --spotcheck] [-l, --listall] [-h, --help] [-V, --version]


DESCRIPTION
       sXid  checks  for changes in suid and sgid files and directories based on its last check. Logs are stored
       by default in /var/log/sxid.log.   The  changes  are  then  emailed  to  the  address  specified  in  the
       configuration file. The default location for the config file is /etc/sxid.conf but this can be overridden
       with the --config option and specifying an alternate file.


OPTIONS
       -c, --config file
               Specifies an alternate configuration file.

       -n, --nomail
               Sends output to stdout instead of emailing, useful for spot checks.

       -k, --spotcheck
               Checks  for changes by recursing the current working directory. Log files will not be rotated and
               no email sent. All output will go to stdout.

       -l, --listall
               Useful when doing --spotcheck or --nomail to list  all  files  that  are  logged,  regardless  of
               changes.

       -h, --help
               Display a brief help message.

       -V, --version
               Print version and exit.


OUTPUT
       The program outputs several different checks concerning the current status of the suid and sgid files and
       directories on the system on which it was run. This is a basic overview of the format.

       In  the  add  remove section, new files are preceded by a “+”, old ones are preceded by a “-”.  Note that
       removed does not mean gone from the filesystem, just that it is no longer sgid or suid.

       Most of it is pretty easy to understand. On the sections that show changes in the file's info (uid,  gid,
       modes...) the format is old->new. So if the old owner was “mail” and it is now “root” then it shows it as
       mail->root.

       The list of files in the checks is in the following format:

       /full/path   *user.group   MODE

       MODE is the 4 digit mode, as in 4755.

       In  the  changes  section,  if the line is preceded by an “i” then that item has changed inodes since the
       last check (regardless of any s[ug]id change), if there is an “m” then the SHA-256 checksum has changed.

       If a user or group entry is preceded by a “*” then it's execution bit is set (ie.  *root.wheel  is  suid,
       root.*wheel is sgid, *root.*wheel is +s).

       On  the  forbidden  directories,  if  ENFORCE  is  enabled  an “r” will precede forbidden items that were
       successfully -s'd, and an “!”  will show that it was unsuccessfully -s'd (for what ever reason).


AUTHOR
       Ben Collins <bcollins@debian.org>


REPORTING BUGS
       Timur Birsh <taem@linukz.org>


SEE ALSO
       sxid.conf(5)

Debian                                            July 29, 2013                                          SXID(1)