Provided by: ninja_0.1.3-2_amd64 bug


       ninja - Privilege escalation detection system for GNU/Linux


       ninja filename


       Ninja is a privilege escalation detection and prevention system for GNU/Linux hosts. While
       running, it will monitor process activity on  the  local  host,  and  keep  track  of  all
       processes  running  as  root.   If a process is spawned with UID or GID zero (root), ninja
       will log necessary information about this process, and optionally kill the process  if  it
       was spawned by an unauthorized user.

       A  "magic" group can be specified, allowing members of this group to run any setuid/setgid
       root executable.

       Individual executables can be whitelisted.  Ninja uses a fine grained whitelist that  lets
       you whitelist executables on a group and/or user basis. This can be used to allow specific
       groups or individual users access to  setuid/setgid  root  programs,  such  as  su(1)  and


       Ninja  requires a configuration file to run. For more information about the configuration,
       please refer to the "default.conf" file, located  at  "/usr/share/doc/ninja/examples/"  in
       the source tree.  There, all the available options are explained in detail.


       The  whitelist  is  a  plain  text  file,  containing new-line separated entries.  Entries
       consists of three fields, separated by colons.  The first field is the full  path  to  the
       executable  you  wish  to whitelist.  The second field is a comma separated list of groups
       that should be granted access to the executable.  The third field  is  a  comma  separated
       list of users.


       The second or third field can be left empty.  Please refer to the example whitlist located
       in "/usr/share/doc/ninja/examples/".

       Remember that it is a good idea to whitelist programs such as passwd(1) and other  regular
       setuid applications that users require access to.


       The  goal  of  this  application is to be able to detect and stop local, and possibly also
       remote exploits. It is important to note that ninja cannot prevent attackers from  running
       exploits, as a successful exploitation only will be detected AFTER the attacker has gained
       root. However, when ninja is running with a short scanning cycle, this  detection  happens
       nearly  immediately. The security lies in the fact that we stop the attacker before he/she
       has time to do anything nasty to the system, and it gives us the  opportunity  to  disable
       the attacker's shell access, and lock him/her out of the system.

       In  an  ideal environment, ninja should be run together with kernel hardening systems such
       as grsecurity ( as this will allow for some  protection  of  the  ninja

       This is not a complete security system. Do not rely on it to keep your system safe.


       Please  let  me  know if you should stumble across any bugs or other weirdness.  I greatly
       appreciate all bug reports, patches, ideas, suggestions and comments.


       Ninja is released under the General Public License (GPL) version 2 or higher.


       Tom Rune Flo <>

                                           August 2005                                   NINJA(8)