How to Ninja – Ubuntu 10.04

Briefly, ninja is a security tool that monitors your host (computer)

for unauthorized root access (ie user privilege escalation) and, if

discovered, logs and terminates (kills) the process.

Ninja is a privilege escalation detection and prevention system for GNU/Linux hosts. While running, it will monitor process activity on the local host, and keep track of all processes running as root. If a process is spawned with UID or GID zero (root), ninja will log necessary informa- tion about this process, and optionally kill the process if it was spawned by an unauthorized user.

Since my original post the installation process and configuration has

been modified and, although it is much easier to configure, ninja still

requires post installation configuration.

sudo apt-get install ninja

Most important, read the documentation. Most of the relevant information is in the configuration file,

These are the adjustments I made (for Ubuntu).

1. Add a “magic” group (only members of the magic group are allowed

root access). In this blog I will call the group “ninja” , you may

change the name if you wish. Take note of the group id (gid or number).

sudo addgroup ninja

Adding group `ninja’ (GID 1002

) …

Done.

Add root, messagebus, and your administrative user(s) to the magic group.

sudo usermod -a -G ninja root

sudo usermod -a -G ninja messagebus

sudo usermod -a -G ninja bodhi

2. Make a log file, restrict access to both /etc/ninja and the log file to root.

sudo touch /var/log/ninja.log

sudo chmod o-rwx -R /etc/ninja/

sudo chmod o-rwx /var/log/ninja.log

3. Using any editor, open /etc/ninja/ninja.conf

I encourage you to read the configuration file

sudo -e /etc/ninja/ninja.conf

Make the following changes match the number with the magic group id

:

group = 1002

Test ninja:

<code>sudo ninja start bodhi@lucid:~$ sudo -i root@lucid:~# sudo -u nobody /bin/bash bash: /root/.bashrc: Permission denied nobody@lucid:~$ whoami nobody nobody@lucid:~$ sudo -i [sudo] password for nobody: Sorry, try again.</code>

Exit the shell and/or close the terminal.

At this time ninja is configured only to log events.

Examining the log will show the event:

<code>bodhi@lucid:~$ sudo cat /var/log/ninja.log NEW ROOT PROCESS: bash[2319] ppid=2015 uid=0 gid=0 - ppid uid=1000(bodhi) gid=1000 ppid=2013 + bodhi is in magic group, all OK! NEW ROOT PROCESS: sudo[2338] ppid=2335 uid=0 gid=0 - ppid uid=65534(nobody) gid=65534 ppid=2319 + UNAUTHORIZED PROCESS DETECTED: sudo[2338] (parent: bash[2335]) - nokill option set, no signals sent</code>

Notice three things :

1. bodhi was allowed to run sudo.

2. ninja detected nobody was not authorized to run sudo.

3. Last, ninja is configured with the “no kill” option, so did not take action.

Before we complete our configuration of ninja, we need to test it. If ninja is misconfigured you may loose all root access !!!

Clear the log

sudo bash -c "&gt; /var/log/ninja.log"

Reboot, test root (sudo) access and run your system for a few hours

or days (your choice). Watch the ninja log. If there are events you will

need to determine if you need to configure ninja further, either via

adding users to the ninja group or white listing processes.

Use the graphical tool or command line to add users to the ninja group

sudo usermod -a -G ninja user_to_add

Edit /etc/ninja/whitelist

If you examine the file you will find there are already a few processes listed. If you need to add a process the syntax is

<code>/path_to/program:group:user</code>

where group/user is a group/user allowed to run the process

.

To list your suid applications run this command :

find / -perm -4000 2&gt;/dev/null

To list your sgid applications

find / -perm -2000 2&gt;/dev/null | grep {bin,lib} 2&gt;/dev/null

Review these applications and, if desired, whitelist them for your users.

Either edit /etc/ninja/whitelist or use a script :

One long line :

# suid

for i in `find / -perm -4000 2&gt;/dev/null`; do

echo ${i}:users: &gt;&gt; /etc/ninja/whitelist

done

#sgid

for i in `find / -perm -4000 2&gt;/dev/null | grep {bin,lib} 2&gt;/dev/null`; do

Assuming you have configured ninja and you are not getting alerts in the ninja log, it is time to activate ninja.

Using any editor, open /etc/ninja/ninja.conf

Change these lines:

no_kill = no

no_kill_ppid = no

restart ninja

sudo service ninja restart

<code>bodhi@lucid:/usr/share/doc/ninja$ sudo -i root@lucid:~# sudo -u nobody /bin/bash bash: /root/.bashrc: Permission denied nobody@lucid:~$ sudo -i [sudo] password for nobody: Killed nobody@lucid:~$ Killed</code>

Using any editor, open /etc/ninja/ninja.conf and make some changes.

The “problem” is that the external command now runs as the user who

triggered ninja, so we need some modifications to the scripts (from my

original post).

external_command = /etc/alert

YOU must write this script if you wish to use it.

Examples might include (save this script in /etc/alert ):

#!/bin/bash

echo "Ninja attack" | mail -s "Alert" [email protected]

echo "Ninja attack" &gt; /home/.ninja/ALERT

Note

: I suggest putting the script OFF the normal path of users to prevent users from running the script.

Make the script executable:

sudo chmod 555 /etc/alert

Now add this to the end of .bashrc (at least for root and I would suggest adding it to your admin user as well):

#Ninja alert

RED='/e[0;31m'

if [ -e /home/.ninja/ALERT ]; then

clear

echo ''

echo -e "${RED}NINJA ATTACK"

fi

If you use this script, to clear the alert use

sudo rm /home/.ninja/ALERT

<code>root@karmic# sudo -u nobody /bin/bash bash: /root/.bashrc: Permission denied</code>

<code>nobody@karmic$ whoami nobody</code>

<code>nobody@karmic$ sudo -i [sudo] password for nobody: Killed nobody@karmic$ Killed root@karmic#</code>

Notice how ninja killed not only the sudo attempt, but the bash shell as well.

If you used my alert script and configured ~/.bashrc you will also

see a warning when you log in or sudo -i to root. If you receive an

alert, review your ninja log.

To clear the alert: