From forkbomb.org/ninja/ and linuxpoison.blogspot.com
DESCRIPTION
Ninja is a privilege escalation detection and prevention system for GNU/Linux hosts. While running, it will monitor process activity on the local host, and keep track of all processes running as root. If a process is spawned with UID or GID zero (root), ninja will log necessary information about this process, and optionally kill the process if it was spawned by an unauthorized user.
A “magic” group can be specified, allowing members of this group to run any setuid/setgid root executable.
Individual executables can be whitelisted. Ninja uses a fine grained whitelist that lets you whitelist executables on a group and/or user basis. This can be used to allow specific groups or individual users access to setuid/setgid root programs, such as su(1) and passwd(1).
EXTERNAL RESOURCES
How to Ninja and How to Ninja – Ubuntu 10.04 by bodhi.zazen
MAN PAGE
Read the online man page here.
CURRENT VERSION
0.1.3 – ChangeLog
DOWNLOAD
Source repository
LICENSE
Ninja is released under the General Public License (GPL) version 2 or higher
INSTALL:
Download ninja from – here
Untar the source, goto the ninja directory and type following command to compile and install the ninja:
make
make install
copy the white-list file to the /etc/ninja directory
cp examples/whitelist/simple.wlist /etc/ninja/
Configuration:
Add group “ninja” (note down the group id):
groupadd ninja
Add user ‘root’ and all other required users to this group:
usermod -G ninja nikesh
usermod -G ninja root
Create the ninja log files:
touch /var/log/ninja.log
Open the ninja configuration file:
vi /etc/ninja/default.conf
and change the following settings
group=1000
daemon = yes
interval = 0
logfile = /var/log/ninja.log
whitelist = /etc/ninja/simple.wlist
external_command = /root/bin/alert
Here you also need to create a simple script alert (/root/bin/alert) with following entries
#!/bin/bash
echo 'Alert - Unauthorized Access to system.' | mail -s "'Alert - Unauthorized Access to system." njauhari@cybage.com
Edit the whitelist file located under the
/etc/ninja/simple.wlist
The first field is the full path to the executable you wish to white-list. The second field is a comma separated list of groups that should be granted access to the executable. The third field is a comma separated list of users.
The second or third field can be left empty. Please refer to the example whitlist located in “examples/whitelist/”.
Remember that it is a good idea to whitelist programs such as passwd and other regular setuid applications that users require access to.
Finally start ninja using following command:
/usr/local/bin/ninja /etc/ninja/default.conf
Testing Ninja:
Create a test user ‘test’
Login to the system using this test user
now attempt to become ‘root’ user by typing command ‘su – ‘
Here ninja will come into action and will kill the entire session and dump the information into the log
