Apr 192010
 

From forkbomb.org/ninja/ and linuxpoison.blogspot.com

DESCRIPTION
Ninja is a privilege escalation detection and prevention system for GNU/Linux hosts. While running, it will monitor process activity on the local host, and keep track of all processes running as root. If a process is spawned with UID or GID zero (root), ninja will log necessary information about this process, and optionally kill the process if it was spawned by an unauthorized user.

A “magic” group can be specified, allowing members of this group to run any setuid/setgid root executable.

Individual executables can be whitelisted. Ninja uses a fine grained whitelist that lets you whitelist executables on a group and/or user basis. This can be used to allow specific groups or individual users access to setuid/setgid root programs, such as su(1) and passwd(1).

EXTERNAL RESOURCES
How to Ninja and How to Ninja – Ubuntu 10.04 by bodhi.zazen

MAN PAGE
Read the online man page here.

CURRENT VERSION
0.1.3 – ChangeLog

DOWNLOAD
Source repository

LICENSE
Ninja is released under the General Public License (GPL) version 2 or higher

INSTALL:
Download ninja from – here
Untar the source, goto the ninja directory and type following command to compile and install the ninja:

make
make install

copy the white-list file to the /etc/ninja directory

cp examples/whitelist/simple.wlist /etc/ninja/

Configuration:
Add group “ninja” (note down the group id):

groupadd ninja

Add user ‘root’ and all other required users to this group:

usermod -G ninja nikesh
usermod -G ninja root

Create the ninja log files:

touch /var/log/ninja.log

Open the ninja configuration file:

vi /etc/ninja/default.conf

and change the following settings

group=1000
daemon = yes
interval = 0
logfile = /var/log/ninja.log
whitelist = /etc/ninja/simple.wlist
external_command = /root/bin/alert

Here you also need to create a simple script alert (/root/bin/alert) with following entries

#!/bin/bash
echo 'Alert - Unauthorized Access to system.' | mail -s "'Alert - Unauthorized Access to system." [email protected]

Edit the whitelist file located under the

/etc/ninja/simple.wlist

The first field is the full path to the executable you wish to white-list. The second field is a comma separated list of groups that should be granted access to the executable. The third field is a comma separated list of users.

::

The second or third field can be left empty. Please refer to the example whitlist located in “examples/whitelist/”.

Remember that it is a good idea to whitelist programs such as passwd and other regular setuid applications that users require access to.

Finally start ninja using following command:

/usr/local/bin/ninja /etc/ninja/default.conf

Testing Ninja:
Create a test user ‘test’
Login to the system using this test user
now attempt to become ‘root’ user by typing command ‘su – ‘
Here ninja will come into action and will kill the entire session and dump the information into the log

 Posted by at 3:22 am