How to Ninja

June 6th, 2009 by bodhi.zazen

I stumbled across an interesting security package in the Ubuntu Repositories, Ninja

Ninja is a privilege escalation detection and prevention
system for GNU/Linux hosts. While running, it will monitor
process activity on the local host, and keep track of all
processes running as root. If a process is spawned with
UID or GID zero (root), ninja will log necessary informa-
tion about this process, and optionally kill the process
if it was spawned by an unauthorized user.

What this means in “non-geek speak” is that ninja monitors your system for unauthorized root access (ie user privilege escalation) and, if discovered, logs and terminates (kills) the process.

Installation and configuration is fairly straight forward, but I made a few (small) modifications.

Install ninja

sudo apt-get install ninja

Configure ninja

Most important, read the documentation. These are the adjustments I made (for Ubuntu).

1. Move the configuration files into /etc

sudo mkdir /etc/ninja
sudo cp /usr/share/doc/ninja/examples/default.conf /etc/ninja/ninja.conf
sudo cp /usr/share/doc/ninja/examples/simple.wlist /etc/ninja/whitelist
sudo chmod -R o-rwx /etc/ninja

2. Make a log file.

sudo touch /var/log/ninja.log
sudo chmod o-rwx /var/log/ninja.log

3. Add a “magic” group (one allowed root access). Here I called it ninja. Take note of the group id (gid or number).

sudo addgroup ninja
Adding group `ninja’ (GID 1003) …
Done.

Take not of the group id (gid or number), in this example 1003
And add your user (and root) to the “magic” group.

addgroup ninja
usermod -a -G ninja bodhi
usermod -a -G ninja root
usermod -a -G ninja messagebus

4. Using any editor, open /etc/ninja/ninja.conf and make some changes.

group=1003 daemon = yes interval = 0 logfile = /var/log/ninja.log whitelist = /etc/ninja/whitelist external_command = /root/bin/alert

Notes:

Change group “0″ to the group you wish to allow root access . In this example I used the group “ninja” which was assigned a gid of 1003.
- To find the gid, use “grep ninja /etc/groups”
interval = 0 – If this option consumes too much CPU, change it to 1.
external_command = /root/bin/alert – YOU must write this script if you wish to use it.
- Examples might include :
  #!/bin/bash
  echo “Ninja attack” | mail -s “Alert” you@secret-service.com
  echo “Ninja attack” > /root/ALERT
  echo “Ninja attack” > /home/bodhi/ALERT
- Now add this to the end of .bashrc (assuming you have defined the color red in .bashrc)
  #Ninja alert
  if [ -e $HOME/ALERT ]; then
  clear
  echo ”
  echo -e “${RED}NINJA ATTACK”
  echo ”
  fi

5. Edit /etc/ninja/whitelist

Since ubutnu does not use su, remove the su line

on passwd, allow users
add in other normal system processes:

/bin/fusermount:users:
/usr/bin/passwd:users:
/usr/bin/pulseaudio:users:
/usr/sbin/hald:haldaemon:
/usr/lib/hal/hald-runner:haldaemon:

6. Start ninja at boot. I did this with a single line in /etc/rc.local

/usr/sbin/ninja /etc/ninja/ninja.conf

Ninja in action

root@karmic# sudo -u nobody /bin/bash bash: /root/.bashrc: Permission denied
nobody@karmic$ whoami nobody
nobody@karmic$ sudo -i [sudo] password for nobody: Killed nobody@karmic$ Killed root@karmic#

Notice how ninja killed not only the sudo attempt, but the bash shell as well.

Posted in Linux

12 Comments »

Please provide the full post contents in your RSS feed.

Comment by foo — June 6, 2009 @ 1:40 am
I constantly get die: got signal SIGSEGV — segmentation fault errors :S

Comment by Carroarmato0 — June 6, 2009 @ 6:08 am
ninja segfaults intermittently (varies by system) when you use a log file.

It will work if you comment out the line referring to a log file in /etc/ninja/ninja.conf

I have reported the bug and sent debugging information to the developer.

Comment by bodhi.zazen — June 6, 2009 @ 9:03 am
cool

Comment by karlzt — June 6, 2009 @ 9:06 am
[...] algo más sencillo y no tan crítico, como dar acceso de terminal o X a usuarios finales. Acá hay un post sobre cómo instalarlo en [...]

Pingback by El Blog de Marcelo! » Dos herramientas para Sysadmins: Ninja y KSplice — June 6, 2009 @ 11:20 am
Hey!

Found your feed on planet (ubuntu).

Nice tutorial! I’m loving my ninjas !

Comment by Ben Crisford — June 6, 2009 @ 3:26 pm
Hi,

Nice extra security measure!

I followed your guide. Installed it on my home server and it started eating 25% of my cpu cycles!
So i set the interval to 1. Now it just eats 2%.
This is on a 1.2Ghz Celeron.

Does this mean that processes that execute as root an die immediately could go unnoticed?

Comment by bla — June 8, 2009 @ 3:05 am
My understanding is that an interval of 1 instructs ninja to scan all active processes every 1 second (0 = continuous or no delay).

As with all security measures, best to test it out.

In terms of the log, I believe there will be a log of the process as it is started, but again check it out. I fyou wish, you can change the logging options.

Comment by bodhi.zazen — June 8, 2009 @ 2:21 pm
Hopefully this procedure will be simpler in future versions of the package:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=550545

Comment by Francois Marier — October 11, 2009 @ 3:41 am
neat!

Comment by severity1 — October 25, 2009 @ 7:35 pm
Awesome! nice ninja tutorial

Comment by Billy — October 25, 2009 @ 10:25 pm
Thank you for sharing this howto, I liked the tool and working properly.

log:

[Sun Jan 10 07:01:57 2010] NEW ROOT PROCESS: su[21536] ppid=21414 uid=0 gid=1000
[Sun Jan 10 07:01:57 2010] – ppid uid=1000(xxxxx ) gid=1000 ppid=17568
[Sun Jan 10 07:01:57 2010] + xxxxx is in magic group, all OK!

—-

Comment by gnumax — January 10, 2010 @ 12:04 am