linux poison RSS
linux poison Email

ninja - Monitor Linux System for Unauthorized root access

Ninja is a privilege escalation detection  and  prevention system for GNU/Linux hosts. While running, it will monitor Process activity on the local host, and keep track of  all processes  running  as root.  If a process is spawned with UID or GID zero (root), ninja will log necessary  information  about  this process, and optionally kill the process if it was spawned by an unauthorized user.

A "magic" group can be specified, allowing members of this group to run any setuid/setgid root executable.

Individual  executable  can be white-listed.  Ninja uses a fine grained white-list that lets you white list executable on  a group  and/or user basis. This can be used to allow specific groups or individual users access to  setuid/set-gid root programs, such as su and passwd.

Installation:
Download ninja from - here
Untar the source, goto the ninja directory and type following command to compile and install the ninja:
make
make install
copy the white-list file to the /etc/ninja directory
cp examples/whitelist/simple.wlist /etc/ninja/
Configuration:
Add group "ninja" (note down the group id):
groupadd ninja
Add user 'root' and all other required users to this group:
usermod -G ninja nikesh
usermod -G ninja root
Create the ninja log files:
touch /var/log/ninja.log
Open the ninja configuration file: vi /etc/ninja/default.conf and change the following settings
group=1000
daemon = yes
interval = 0
logfile = /var/log/ninja.log
whitelist = /etc/ninja/simple.wlist
external_command = /root/bin/alert
Here you also need to create a simple script alert (/root/bin/alert) with following entries

#!/bin/bash
echo 'Alert - Unauthorized Access to system.' | mail -s "'Alert - Unauthorized Access to system." njauhari@cybage.com

Edit the whitelist file located under the /etc/ninja/simple.wlist
The first field is the full path to the executable you wish to white-list. The second field  is  a comma  separated  list  of  groups  that should be granted access to the executable.  The third field is a comma separated list of users.
<executable>:<groups>:<users>
The second or third field can be left empty.  Please refer to the example whitlist located in "examples/whitelist/".

Remember that it is a good idea to whitelist programs such as passwd and other regular  setuid  applications  that users require access to.

Finally start ninja using following command:
/usr/local/bin/ninja /etc/ninja/default.conf
Testing Ninja:
Create a test user 'test'
Login to the system using this test user
now attempt to become 'root' user by typing command 'su - '
Here ninja will come into action and will kill the entire session and dump the information into the log ...



6 comments:

Post a Comment

Related Posts with Thumbnails