Ninja is a privilege escalation detection and prevention system for GNU/Linux hosts. While running, it will monitor Process activity on the local host, and keep track of all processes running as root. If a process is spawned with UID or GID zero (root), ninja will log necessary information about this process, and optionally kill the process if it was spawned by an unauthorised user.
A "magic" group can be specified, allowing members of this group to run any setuid/setgid root executable. Such as the 'root' group.But you can customise it later on.
Individual executables can be white-listed. Ninja uses a fine grained white-list that lets you white list executable on a group and/or user basis. This can be used to allow specific groups or individual users access to setuid/set-gid root programs, such as su and passwd.
Installation:
Download ninja from source
here OR look for it in your repos, '
Gentoo: Build from source
Debian/ubuntu: apt-get install ninja
Untar the source, goto the ninja directory and type following command to compile and install the ninja:
make
make install
copy the white-list file to the /etc/ninja directory
cp examples/whitelist/simple.wlist /etc/ninja/
Configuration:
Add group "ninja" (note down the group id):
groupadd ninja
Add user 'root' and all other required users to this group:
usermod -G ninja anormaluser
usermod -G ninja root
Create the ninja log files:
touch /var/log/ninja.log
Open the ninja configuration file: vi /etc/ninja/default.conf and change the following settings
group=1000
daemon = yes
interval = 0
logfile = /var/log/ninja.log
whitelist = /etc/ninja/simple.wlist
external_command = /root/bin/alert
Here you also need to create a simple script alert (/root/bin/alert) with following entries
#!/bin/bash
echo 'Alert - Unauthorized Access to system.' | mail -s "'Alert - Unauthorized Access to system." offserver@email.com
Edit the whitelist file located under the /etc/ninja/simple.wlist
The first field is the full path to the executable you wish to white-list. The second field is a comma separated list of groups that should be granted access to the executable. The third field is a comma separated list of users.
<executable>:<groups>:<users>
The second or third field can be left empty. Please refer to the example whitlist located in "examples/whitelist/".
Remember that it is a good idea to whitelist programs such as passwd and other regular setuid applications that users require access to.
Finally start ninja using following command:
/usr/local/bin/ninja /etc/ninja/default.conf
And now ninja is running, I would add it to the start-up at default time, so your always secure.
Gentoo:
rc-update add ninja default
Testing Ninja:
Create a test user 'test'
Login to the system using this test user
now attempt to become 'root' user by typing command 'su - '
Here ninja will come into action and will kill the entire session and dump the information into the log ...
And just like that you now have the knowledge that your server is safe from people launching a kernel exploit and attempting to get root. Please please do not whitelist sudo. Sudo as I've said before is a package for desktops and is a package which can have serious repercussions if someone gets access to your username.
