xenial (8) ninja.8.gz

NAME

       ninja - Privilege escalation detection system for GNU/Linux

SYNOPSIS

       ninja filename

DESCRIPTION

       Ninja  is  a  privilege escalation detection and prevention system for GNU/Linux hosts. While running, it
       will monitor process activity on the local host, and keep track of all processes running as root.   If  a
       process  is spawned with UID or GID zero (root), ninja will log necessary information about this process,
       and optionally kill the process if it was spawned by an unauthorized user.

       A "magic" group can be  specified,  allowing  members  of  this  group  to  run  any  setuid/setgid  root
       executable.

       Individual  executables  can be whitelisted.  Ninja uses a fine grained whitelist that lets you whitelist
       executables on a group and/or user basis. This can be used to allow specific groups or  individual  users
       access to setuid/setgid root programs, such as su(1) and passwd(1).

CONFIGURATION

       Ninja requires a configuration file to run. For more information about the configuration, please refer to
       the "default.conf" file, located at "/usr/share/doc/ninja/examples/" in the source tree.  There, all  the
       available options are explained in detail.

WHITELIST

       The  whitelist  is  a  plain text file, containing new-line separated entries.  Entries consists of three
       fields, separated by colons.  The first field is the full path to the executable you wish  to  whitelist.
       The  second  field  is  a comma separated list of groups that should be granted access to the executable.
       The third field is a comma separated list of users.

       <executable>:<groups>:<users>

       The second or third field  can  be  left  empty.   Please  refer  to  the  example  whitlist  located  in
       "/usr/share/doc/ninja/examples/".

       Remember  that  it  is  a  good  idea  to  whitelist  programs such as passwd(1) and other regular setuid
       applications that users require access to.

SECURITY

       The goal of this application is to be able to detect and stop local, and possibly also  remote  exploits.
       It  is  important  to  note  that  ninja  cannot prevent attackers from running exploits, as a successful
       exploitation only will be detected AFTER the attacker has gained root. However,  when  ninja  is  running
       with  a  short  scanning  cycle, this detection happens nearly immediately. The security lies in the fact
       that we stop the attacker before he/she has time to do anything nasty to the system, and it gives us  the
       opportunity to disable the attacker's shell access, and lock him/her out of the system.

       In  an  ideal  environment, ninja should be run together with kernel hardening systems such as grsecurity
       (www.grsecurity.net) as this will allow for some protection of the ninja process.

       This is not a complete security system. Do not rely on it to keep your system safe.

BUGS

       Please let me know if you should stumble across any bugs or other weirdness.  I  greatly  appreciate  all
       bug reports, patches, ideas, suggestions and comments.

LICENSE

       Ninja is released under the General Public License (GPL) version 2 or higher.

AUTHOR

       Tom Rune Flo <tom@x86.no>

                                                   August 2005                                          NINJA(8)