How to Ninja – Ubuntu 10.04

This blog is an update to my original post on ninja here

Update 9/2014:

Note: With more recent version of Ubuntu you may need to restart ninja with

sudo service ninja restart

Briefly, ninja is a security tool that monitors your host (computer) for unauthorized root access (ie user privilege escalation) and, if discovered, logs and terminates (kills) the process.

From the Ninja Home Page

Ninja is a privilege escalation detection and prevention
system for GNU/Linux hosts. While running, it will monitor
process activity on the local host, and keep track of all
processes running as root. If a process is spawned with
UID or GID zero (root), ninja will log necessary informa-
tion about this process, and optionally kill the process
if it was spawned by an unauthorized user.

Since my original post the installation process and configuration has been modified and, although it is much easier to configure, ninja still requires post installation configuration.

Install ninja

sudo apt-get install ninja


Configure ninja

Most important, read the documentation. Most of the relevant information is in the configuration file,

These are the adjustments I made (for Ubuntu).

1. Add a “magic” group (only members of the magic group are allowed root access). In this blog I will call the group “ninja” , you may change the name if you wish. Take note of the group id (gid or number).

sudo addgroup ninja
Adding group `ninja’ (GID 1002) …
Done.

Add root, messagebus, and your administrative user(s) to the magic group.

sudo usermod -a -G ninja root
sudo usermod -a -G ninja messagebus
sudo usermod -a -G ninja bodhi

2. Make a log file, restrict access to both /etc/ninja and the log file to root.

sudo touch /var/log/ninja.log
sudo chmod o-rwx -R /etc/ninja/
sudo chmod o-rwx /var/log/ninja.log

3. Using any editor, open /etc/ninja/ninja.conf

I encourage you to read the configuration file

sudo -e /etc/ninja/ninja.conf

Make the following changes match the number with the magic group id:

group = 1002

Test ninja:

sudo ninja start

bodhi@lucid:~$ sudo -i
root@lucid:~# sudo -u nobody /bin/bash
bash: /root/.bashrc: Permission denied
nobody@lucid:~$ whoami
nobody
nobody@lucid:~$ sudo -i
[sudo] password for nobody:
Sorry, try again.

Exit the shell and/or close the terminal.

At this time ninja is configured only to log events.

Examining the log will show the event:


bodhi@lucid:~$ sudo cat /var/log/ninja.log

NEW ROOT PROCESS: bash[2319] ppid=2015 uid=0 gid=0
- ppid uid=1000(bodhi) gid=1000 ppid=2013
+ bodhi is in magic group, all OK!
NEW ROOT PROCESS: sudo[2338] ppid=2335 uid=0 gid=0
- ppid uid=65534(nobody) gid=65534 ppid=2319
+ UNAUTHORIZED PROCESS DETECTED: sudo[2338] (parent: bash[2335])
- nokill option set, no signals sent

Notice three things :

1. bodhi was allowed to run sudo.
2. ninja detected nobody was not authorized to run sudo.
3. Last, ninja is configured with the “no kill” option, so did not take action.


Reboot

Before we complete our configuration of ninja, we need to test it. If ninja is misconfigured you may loose all root access !!!

Clear the log

sudo bash -c "> /var/log/ninja.log"

Reboot, test root (sudo) access and run your system for a few hours or days (your choice). Watch the ninja log. If there are events you will need to determine if you need to configure ninja further, either via adding users to the ninja group or white listing processes.

Add a user to the magic group

Use the graphical tool or command line to add users to the ninja group

sudo usermod -a -G ninja user_to_add

Whitelisting a process

Edit /etc/ninja/whitelist

If you examine the file you will find there are already a few processes listed. If you need to add a process the syntax is

/path_to/program:group:user

where group/user is a group/user allowed to run the process

White listing suid / sgid apps

As suggested by Geoffrey (see comments), ninja will kill “unauthorized” suid apps.

To list your suid applications run this command :

find / -perm -4000 2>/dev/null

To list your sgid applications

find / -perm -2000 2>/dev/null | grep {bin,lib} 2>/dev/null

Review these applications and, if desired, whitelist them for your users.

Either edit /etc/ninja/whitelist or use a script :

One long line :

# suid
for i in `find / -perm -4000 2>/dev/null`; do
echo ${i}:users: >> /etc/ninja/whitelist
done

#sgid
for i in `find / -perm -4000 2>/dev/null | grep {bin,lib} 2>/dev/null`; do
echo ${i}:users: >> /etc/ninja/whitelist
done


Enable ninja

Assuming you have configured ninja and you are not getting alerts in the ninja log, it is time to activate ninja.

Using any editor, open /etc/ninja/ninja.conf

sudo -e /etc/ninja/ninja.conf

Change these lines:

no_kill = no
no_kill_ppid = no

restart ninja

sudo service ninja restart

Test ninja


bodhi@lucid:/usr/share/doc/ninja$ sudo -i
root@lucid:~# sudo -u nobody /bin/bash
bash: /root/.bashrc: Permission denied
nobody@lucid:~$ sudo -i
[sudo] password for nobody: Killed
nobody@lucid:~$ Killed


Adding an automated alert

Using any editor, open /etc/ninja/ninja.conf and make some changes. The “problem” is that the external command now runs as the user who triggered ninja, so we need some modifications to the scripts (from my original post).

external_command = /etc/alert

YOU must write this script if you wish to use it.

Examples might include (save this script in /etc/alert ):

#!/bin/bash
echo "Ninja attack" | mail -s "Alert" you@secret-service.com
echo "Ninja attack" > /home/.ninja/ALERT

Note: I suggest putting the script OFF the normal path of users to prevent users from running the script.

Make the script executable:

sudo chmod 555 /etc/alert

Now add this to the end of .bashrc (at least for root and I would suggest adding it to your admin user as well):

#Ninja alert
RED='\e[0;31m'
if [ -e /home/.ninja/ALERT ]; then
clear
echo ''
echo -e "${RED}NINJA ATTACK"
echo ''
fi

If you use this script, to clear the alert use

sudo rm /home/.ninja/ALERT


Ninja in action


root@karmic# sudo -u nobody /bin/bash
bash: /root/.bashrc: Permission denied


nobody@karmic$ whoami
nobody


nobody@karmic$ sudo -i
[sudo] password for nobody: Killed
nobody@karmic$ Killed
root@karmic#


Notice how ninja killed not only the sudo attempt, but the bash shell as well.

If you used my alert script and configured ~/.bashrc you will also see a warning when you log in or sudo -i to root. If you receive an alert, review your ninja log.

To clear the alert:

sudo rm /home/.ninja/ALERT

This entry was posted in Linux and tagged . Bookmark the permalink.

21 Responses to How to Ninja – Ubuntu 10.04

  1. Pingback: Bodhi.Zazen: How to Ninja – Ubuntu 10.04 | TuxWire

  2. Pingback: Tweets that mention Shadows of epiphany » Blog Archive » How to Ninja – Ubuntu 10.04 -- Topsy.com

  3. Pingback: Shadows of epiphany » Blog Archive » How to Ninja – Ubuntu 10.04 | Linux Affinity

  4. Pingback: Ninja - Privilege escalation detection system for GNU/Linux | Ubuntu Geek

  5. Geoffrey says:

    Wow. Uh. It killed sudo before you even tried to type a password? This means it breaks all setuid root programs, including legitimate ones like mail delivery apps, ping/traceroute, etc. How is this a good idea?

  6. bodhi.zazen says:

    @ Geoffrey : as with all security it depends.

    How important are these tools to the average desktop user ?

    If you need them ( ping / traceroute ), white list them.

  7. bodhi.zazen says:

    @ Geoffrey : I added a section in my how to to identify and, if desired, white list such suid apps

  8. kenda says:

    I think there is a typo in the code:

    # suid
    for in in `find / -perm -4000 2>/dev/null`; do
    echo ${i}:users: >> /etc/ninja/whitelist
    done

    #sgid
    for in in `find / -perm -4000 2>/dev/null | grep {bin,lib} 2>/dev/null`; do
    echo ${i}:users: >> /etc/ninja/whitelist
    done

    Should it be: “for i in……..” you have in duplicated. I am a novice so I might well be wrong.

  9. bodhi.zazen says:

    Thank you kenda, I fixed that code =)

  10. Yikes:
    mark@Lexington-19-Karmic:~$ sudo ninja start
    log: reading configuration file: start
    die: error: unable to read configuration file

    and you say:

    Reboot
    Before we complete our configuration of ninja, we need to test it. If ninja is misconfigured you may loose all root access !!!

    So, I am a “desktop user” and I have no idea of when you may read this and respond and feel as though I cannot turn off the computer until then. I have no idea as to how to “unconfigure” Ninja so I will have my computer WITH root access.

  11. Further: I cannot find a directory named: /etc/alert NOR /etc/Alert NOR /etc/ALERT. And I cannot find where in this set of instructions there is a command for making that directory.

    Viz:

    external_command = /etc/alert

    YOU must write this script if you wish to use it.
    Examples might include (save this script in /etc/alert ):
    #!/bin/bash
    echo “Ninja attack” | mail -s “Alert” you@secret-service.com
    echo “Ninja attack” > /home/.ninja/ALERT

    There are three variations on the spelling of “alert” and I have no idea as to how to fix any of this. Bodhi, you are a great guy for giving us such works as Ninja, but I have to ask you to write more clearly for non-computer guys, such as myself. Thanks.

  12. I apologize for all these posts today. I took a chance and rebooted. At least Lucid came up and seems to work. I have Chrome and ‘net access, email, etc. Opening a terminal is odd as I see:


    “NINJA ATTACK”

    mark@Lexington-19-Karmic:~$

    and asking Aptitude to update required no sudo password.

  13. bodhi.zazen says:

    @Mark_in_Hollywood – You have to write the script. You can use the script I posted as a template. You would then save the file to /etc/alert or /usr/local/bin/alert or any location you prefer. Then make it executable. HTH.

  14. Saintmeh says:

    LOL well.. I installed it… and broke a bunch of things… then uninstalled… then re-installed and white-listed probably more things than I should have… but it was fun! I’m not yet comfortable enough to put it on the server… but I should…. Thank you for the EXCELLENT walk through! Even a noob like me could get it together with this!

  15. bodhi.zazen says:

    @Saintmeh : Glad you got it sorted. Yes, these security tools come with a bit of a learning curve.

  16. Pingback: Takedown » Paranoia: ON!

  17. Smith ( not an agent ! ) says:

    really have learnt something important new
    with this ! – but … have not set-up an alert-script
    in /etc/alert
    so sudo and su is switched off
    and me am closed out of my castle here (as system-admin).
    so how do I get back into my machine ??? ninja, ninja … is too profound now … sudo apt-get install –reinstall sudo does not work any more, how do I get sudo back – without sudo or su – rights ???

  18. Smith ( not an agent - back as $sudo now ! ) says:

    sorry for mismatch in 1st attempt I had pitch.
    then I re-read carefully from above again and found what I did wrong. now it works – whenever a bit different then in your example.

    ;)

  19. Smith ( not an agent - but now, whats up ? ) says:

    because I need ninja for a while not anymore – I removed it with synaptic
    package-manager . . . ( later I re-install it again )

    but now, what is this ? this is remaining of ninja ? when logging in with :

    sudo su

    then I have this message (in red) :

    hacker traced !!!

  20. bodhi.zazen says:

    I assume that is a remnant of a script you wrote.

  21. Stephen says:

    I found an error with one command:

    sudo ninja start

    This command failed. So, I typed the following:

    sudo service ninja start

    After that everything is working as it should.

Add Comment Register



Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>