Ninja is a privilege escalation detection and prevention system for GNU/Linux hosts. While running, it will monitor process activity on the local host, and keep track of all processes running as root. If a process is spawned with UID or GID zero (root), ninja will log necessary information about this process, and optionally kill the process if it was spawned by an unauthorized user.
A “magic” group can be specified, allowing members of this group to run any setuid/setgid root executable.
Individual executables can be whitelisted. Ninja uses a fine grained whitelist that lets you whitelist executables on a group and/or user basis. This can be used to allow specific groups or individual users access to setuid/setgid root programs, such as su(1) and passwd(1).
Read the online man page here.
0.1.3 – ChangeLog
Ninja is released under the General Public License (GPL) version 2 or higher
Download ninja from – here
Untar the source, goto the ninja directory and type following command to compile and install the ninja:
copy the white-list file to the /etc/ninja directory
cp examples/whitelist/simple.wlist /etc/ninja/
Add group “ninja” (note down the group id):
Add user ‘root’ and all other required users to this group:
usermod -G ninja nikesh
usermod -G ninja root
Create the ninja log files:
Open the ninja configuration file:
and change the following settings
daemon = yes
interval = 0
logfile = /var/log/ninja.log
whitelist = /etc/ninja/simple.wlist
external_command = /root/bin/alert
Here you also need to create a simple script alert (/root/bin/alert) with following entries
echo 'Alert - Unauthorized Access to system.' | mail -s "'Alert - Unauthorized Access to system." [email protected]
Edit the whitelist file located under the
The first field is the full path to the executable you wish to white-list. The second field is a comma separated list of groups that should be granted access to the executable. The third field is a comma separated list of users.
The second or third field can be left empty. Please refer to the example whitlist located in “examples/whitelist/”.
Remember that it is a good idea to whitelist programs such as passwd and other regular setuid applications that users require access to.
Finally start ninja using following command:
Create a test user ‘test’
Login to the system using this test user
now attempt to become ‘root’ user by typing command ‘su – ‘
Here ninja will come into action and will kill the entire session and dump the information into the log