- ninja - Monitor Linux System for Unauthorized root access

Ninja is a privilege escalation detection  and  prevention system for GNU/Linux hosts. While running, it will monitor Process activity on the local host, and keep track of  all processes  running  as root.  If a process is spawned with UID or GID zero (root), ninja will log necessary  information  about  this process, and optionally kill the process if it was spawned by an unauthorized user.

A "magic" group can be specified, allowing members of this group to run any setuid/setgid root executable.

Individual  executable  can be white-listed.  Ninja uses a fine grained white-list that lets you white list executable on  a group  and/or user basis. This can be used to allow specific groups or individual users access to  setuid/set-gid root programs, such as su and passwd.

Installation:
Download ninja from - here
Untar the source, goto the ninja directory and type following command to compile and install the ninja:
make
make install
copy the white-list file to the /etc/ninja directory
cp examples/whitelist/simple.wlist /etc/ninja/
Configuration:
Add group "ninja" (note down the group id):
groupadd ninja
Add user 'root' and all other required users to this group:
usermod -G ninja nikesh
usermod -G ninja root
Create the ninja log files:
touch /var/log/ninja.log
Open the ninja configuration file: vi /etc/ninja/default.conf and change the following settings
group=1000
daemon = yes
interval = 0
logfile = /var/log/ninja.log
whitelist = /etc/ninja/simple.wlist
external_command = /root/bin/alert
Here you also need to create a simple script alert (/root/bin/alert) with following entries

#!/bin/bash
echo 'Alert - Unauthorized Access to system.' | mail -s "'Alert - Unauthorized Access to system." njauhari@cybage.com

Edit the whitelist file located under the /etc/ninja/simple.wlist
The first field is the full path to the executable you wish to white-list. The second field  is  a comma  separated  list  of  groups  that should be granted access to the executable.  The third field is a comma separated list of users.
<executable>:<groups>:<users>
The second or third field can be left empty.  Please refer to the example whitlist located in "examples/whitelist/".

Remember that it is a good idea to whitelist programs such as passwd and other regular  setuid  applications  that users require access to.

Finally start ninja using following command:
/usr/local/bin/ninja /etc/ninja/default.conf
Testing Ninja:
Create a test user 'test'
Login to the system using this test user
now attempt to become 'root' user by typing command 'su - '
Here ninja will come into action and will kill the entire session and dump the information into the log ...







source:http://linuxpoison.blogspot.com/2010/04/135781677519066.html

Labels

Web Search Gmail Google Docs Mobile YouTube Google Maps Google Chrome User interface Tips iGoogle Social Google Reader Traffic Making Devices cpp programming Ads Image Search Google Calendar tips dan trik Google Video Google Translate web programming Picasa Web Albums Blogger Google News Google Earth Yahoo Android Google Talk Google Plus Greasemonkey Security software download info Firefox extensions Google Toolbar Software OneBox Google Apps Google Suggest SEO Traffic tips Book Search API Acquisitions InOut Visualization Web Design Method for Getting Ultimate Traffic Webmasters Google Desktop How to Blogging Music Nostalgia orkut Google Chrome OS Google Contacts Google Notebook SQL programming Google Local Make Money Windows Live GDrive Google Gears April Fools Day Google Analytics Google Co-op visual basic Knowledge java programming Google Checkout Google Instant Google Bookmarks Google Phone Google Trends Web History mp3 download Easter Egg Google Profiles Blog Search Google Buzz Google Services Site Map for Ur Site game download games trick Google Pack Spam cerita hidup Picasa Product's Marketing Universal Search FeedBurner Google Groups Month in review Twitter Traffic AJAX Search Google Dictionary Google Sites Google Update Page Creator Game Google Finance Google Goggles Google Music file download Annoyances Froogle Google Base Google Latitude Google Voice Google Wave Google Health Google Scholar PlusBox SearchMash teknologi unik video download windows Facebook Traffic Social Media Marketing Yahoo Pipes Google Play Google Promos Google TV SketchUp WEB Domain WWW World Wide Service chord Improve Adsence Earning jurnalistik sistem operasi AdWords Traffic App Designing Tips and Tricks WEB Hosting linux How to Get Hosting Linux Kernel WEB Errors Writing Content award business communication ubuntu unik