Tuesday, February 22, 2011

Using Ninja to Monitor And Kill Rogue Privilege Escalation

In the world of hacking, getting in is just the start. Once a hacker (if they have malicious intent we'll call them crackers) has found a way onto a system s/he then usually needs to jump to the Administrator or system or root account to be most effective.

Ninja is a program for Linux (and presumably most Unix like OSes) that monitors for such privilege escalation. Privilege escalations might not be crackers though. The common administration programs like passwd, sudo, etc. also set UID to root, so Ninja has white-listing for who is allowed to run what processes as root.

The white-list function of ninja makes it useful for enforcing policy. You can have a group of users who are allowed to run file editors as root to make changes to system configs and another group who are allowed to restart services, thus providing separation of duties. 

When you first install Ninja, it is set to logging only. This allows you to run it in log mode for a while until you are sure your white-list covers all of the normal use cases for your system before you put it into the proactive process killing modes.

There are 2 modes for process killing, one that kills the process running as root, and one that also kills the process that spawned it.

When first installed (on a debian based system like Ubuntu) it will tell you where it's configs and logs are:

Setting up ninja (0.1.3-2) ...
log: reading configuration file: /etc/ninja/ninja.conf
log: ninja version 0.1.3 initializing
log: magic group: gid=0 (root)
log: logfile: /var/log/ninja.log
log: whitelist mapped in memory at 0x7f851ba0b000
log: entering daemon mode



After install If I run a program in sudo, it will be logged as below:


rod@rod-ubuntu:~$ sudo nano /etc/ninja/ninja.conf


rod@rod-ubuntu:~$ more /var/log/ninja.log
[Tue Feb 22 06:12:23 2011] ninja version 0.1.3 initializing
[Tue Feb 22 06:12:23 2011] magic group: gid=0 (root)
[Tue Feb 22 06:12:23 2011] logfile: /var/log/ninja.log
[Tue Feb 22 06:12:23 2011] whitelist mapped in memory at 0x7f851ba0b000
[Tue Feb 22 06:12:23 2011] entering daemon mode
[Tue Feb 22 06:12:23 2011] entering main loop
[Tue Feb 22 06:12:23 2011] generating initial pid array..
[Tue Feb 22 06:12:23 2011] now monitoring process activity
[Tue Feb 22 06:25:55 2011] NEW ROOT PROCESS: nano[3686] ppid=2740 uid=0 gid=0
[Tue Feb 22 06:25:55 2011]   - ppid uid=1000(rod) gid=1000 ppid=2722
[Tue Feb 22 06:25:55 2011]   + UNAUTHORIZED PROCESS DETECTED: nano[3686] (parent
: bash[2740])
[Tue Feb 22 06:25:55 2011]   - nokill option set, no signals sent
rod@rod-ubuntu:~$


This logging alone, makes ninja worth the install because it gives you a way to track who did what as root no matter how they got to be root. (sudo, SUID, or a privilege escalation hack) Turn on the defensive modes and your system learns a little bit of self defense.

Now if only I could find a version of this for Windows machines. Anyone know of something similar (free or for a fee) for Windows?