linux poison RSS
linux poison Email

ninja - Monitor Linux System for Unauthorized root access

Ninja is a privilege escalation detection  and  prevention system for GNU/Linux hosts. While running, it will monitor Process activity on the local host, and keep track of  all processes  running  as root.  If a process is spawned with UID or GID zero (root), ninja will log necessary  information  about  this process, and optionally kill the process if it was spawned by an unauthorized user.

A "magic" group can be specified, allowing members of this group to run any setuid/setgid root executable.

Individual  executable  can be white-listed.  Ninja uses a fine grained white-list that lets you white list executable on  a group  and/or user basis. This can be used to allow specific groups or individual users access to  setuid/set-gid root programs, such as su and passwd.

Installation:
Download ninja from - here
Untar the source, goto the ninja directory and type following command to compile and install the ninja:
make
make install
copy the white-list file to the /etc/ninja directory
cp examples/whitelist/simple.wlist /etc/ninja/
Configuration:
Add group "ninja" (note down the group id):
groupadd ninja
Add user 'root' and all other required users to this group:
usermod -G ninja nikesh
usermod -G ninja root
Create the ninja log files:
touch /var/log/ninja.log
Open the ninja configuration file: vi /etc/ninja/default.conf and change the following settings
group=1000
daemon = yes
interval = 0
logfile = /var/log/ninja.log
whitelist = /etc/ninja/simple.wlist
external_command = /root/bin/alert
Here you also need to create a simple script alert (/root/bin/alert) with following entries

#!/bin/bash
echo 'Alert - Unauthorized Access to system.' | mail -s "'Alert - Unauthorized Access to system." njauhari@cybage.com

Edit the whitelist file located under the /etc/ninja/simple.wlist
The first field is the full path to the executable you wish to white-list. The second field  is  a comma  separated  list  of  groups  that should be granted access to the executable.  The third field is a comma separated list of users.
<executable>:<groups>:<users>
The second or third field can be left empty.  Please refer to the example whitlist located in "examples/whitelist/".

Remember that it is a good idea to whitelist programs such as passwd and other regular  setuid  applications  that users require access to.

Finally start ninja using following command:
/usr/local/bin/ninja /etc/ninja/default.conf
Testing Ninja:
Create a test user 'test'
Login to the system using this test user
now attempt to become 'root' user by typing command 'su - '
Here ninja will come into action and will kill the entire session and dump the information into the log ...



6 comments:

Je suis flâneur said...

Is this for Linux servers or home users?

Unknown said...

yes, can be used for both

Je suis flâneur said...

My mistake. Is this Ninja software designed for servers? That is, it has small utility on home desktops? I apologize for the 2nd question. I don't understand what this help with on my desktop.

hyip said...

A full detail is given for Linux with all configuration and installation process.

Anonymous said...

does it support 64 bit?

DevOps said...

Not sure, tyr out and let us know

Post a Comment

Related Posts with Thumbnails