To start monitoring the suid/sgid of files and folders, we configure the tool as follows:
- Once the installation completes, we start editing the /etc/sxid.conf file to use the tool as we require. Open the file in the editor of your choice:
nano /etc/sxid.conf
- In the configuration file, look for the following line:
Change the value for EMAIL to any other email ID, if you wish to have the output of changes whenever sxid is run sent to your email ID.
- Next, look for the line that reads KEEP_LOGS and change the value to a numerical value of your choice. This number defines how many log files to keep:
- If you wish to get the logs even when sXid finds no changes, then change the value for ALWAYS_NOTIFY to yes:
- We can define a list of directories, separated with spaces, for the SEARCH option, for sXID to use as a starting point for its search. However, if we wish to exclude any directory from the search, we can specify it under the EXCLUDE option:
Suppose we have a directory, /usr/local/share, to be searched, and the /usr/local directory has been mentioned in the exclude list; it will still be searched. This becomes useful for excluding a main directory, and only specifying one.
- There are many more options in /etc/sxid.conf, which can be configured as per our requirements. Once we are done with editing the file, save and close the file.
- Now, if we want to run sxid manually for spot-checking, we use the following command:
sxid -c /etc/sxid.conf -k
Here, the -c option helps to define the path of the config file, if it is not automatically picked up by the command. The -k option runs the tool.