|Securing and Optimizing Linux: RedHat Edition -A Hands on Guide|
|Prev||Chapter 14. Software -Security/Monitoring||Next|
: All the configuration files required for each software described in this book has been provided by us as a gzipped file, floppy.tgz for your convenience. This can be downloaded from this web address: http://www.openna.com/books/floppy.tgz You can unpack this to any location on your local machine, say for example /tmp, assuming you have done this your directory structure will be /tmp/floppy. Within this floppy directory each configuration file has its own directory for respective software. For example sXid configuration file are organised like this:
You can either cut and paste this directly if you are faithfully following our instructions from the begining or manually edit these to modify to your needs. This facility is there though as a convenience but please don't forget ultimately it will be your responsibility to check, verify, etc. before you use them whether modified or as it is.
total 4 -rw-r--r-- 1 harrypotter harrypotter 1586 Jun 8 13:00 sxid.conf
: To run sXid, the following file from the floppy.tgz archive is required and must be created or copied to the appropriate directory on your server. Copy the sxid.conf file to the /etc/ directory. or alternatively you can copy and paste directly from this book to the concerned file.
The configuration file for sXid /etc/sxid.conf allows you to set options that modify the operation of the program. It is well commented and very basic.
Edit the sxid.conf file vi /etc/sxid.conf and set your needs:
# Configuration file for sXid # Note that all directories must be absolute with no trailing /'s # Where to begin our file search SEARCH = "/" # Which subdirectories to exclude from searching EXCLUDE = "/proc /mnt /cdrom /floppy" # Who to send reports to EMAIL = "root" # Always send reports, even when there are no changes? ALWAYS_NOTIFY = "no" # Where to keep interim logs. This will rotate 'x' number of # times based on KEEP_LOGS below LOG_FILE = "/var/log/sxid.log" # How many logs to keep KEEP_LOGS = "5" # Rotate the logs even when there are no changes? ALWAYS_ROTATE = "no" # Directories where +s is forbidden (these are searched # even if not explicitly in SEARCH), EXCLUDE rules apply FORBIDDEN = "/home /tmp" # Remove (-s) files found in forbidden directories? ENFORCE = "yes" # This implies ALWAYS_NOTIFY. It will send a full list of # entries along with the changes LISTALL = "no" # Ignore entries for directories in these paths # (this means that only files will be recorded, you # can effectively ignore all directory entries by # setting this to "/"). The default is /home since # some systems have /home g+s. IGNORE_DIRS = "/home" # File that contains a list of (each on it's own line) # of other files that sxid should monitor. This is useful # for files that aren't +s, but relate to system # integrity (tcpd, inetd, apache...). # EXTRA_LIST = "/etc/sxid.list" # Mail program. This changes the default compiled in # mailer for reports. You only need this if you have changed # it's location and don't want to recompile sxid. # MAIL_PROG = "/usr/bin/mail"
Place an entry into root's crontabs to make sXid run as a cronjob. sXid will run from crond; basically it tracks any changes in your s[ug]id files and folders. If there are any new ones, ones that aren't set any more, or they have changed bits or other modes then it reports the changes. To add sxid in your cronjob you must edit the crontab and add the following line: To edit the crontab, use the command as root:
[root@deep] /#crontab -e
# Sample crontab entry to run every day at 4am 0 4 * * * /usr/bin/sxid
Further documentation for more details, there are some man pages you can read sxid.conf(5) -configuration settings for sxid and sxid(1) - check for changes in s[ug]id files and directories
sXid as administrative tool is meant to run as a cronjob. It must run once a day, but busy shell boxes may want to run it twice a day. You can also run this manually for spot-checking. To run sxid manually, use the command:
[root@deep] /#sxid -k
sXid Vers : 4.0.1 Check run : Wed Dec 29 12:40:32 1999 This host : mail.openna.com Spotcheck : /home/admin Excluding : /proc /mnt /cdrom /floppy Ignore Dirs: /home Forbidden : /home /tmpNo changes found! This checks for changes by recursing the current working directory. Log files will not be rotated and no email sent. All output will go to stdout.
These are the Installed files on your system by the program sXid.