ninja(8) [debian man page]
NINJA(8) NINJA(8) NAME
ninja - Privilege escalation detection system for GNU/Linux SYNOPSIS
ninja filename DESCRIPTION
Ninja is a privilege escalation detection and prevention system for GNU/Linux hosts. While running, it will monitor process activity on the local host, and keep track of all processes running as root. If a process is spawned with UID or GID zero (root), ninja will log necessary information about this process, and optionally kill the process if it was spawned by an unauthorized user. A "magic" group can be specified, allowing members of this group to run any setuid/setgid root executable. Individual executables can be whitelisted. Ninja uses a fine grained whitelist that lets you whitelist executables on a group and/or user basis. This can be used to allow specific groups or individual users access to setuid/setgid root programs, such as su(1) and passwd(1). CONFIGURATION
Ninja requires a configuration file to run. For more information about the configuration, please refer to the "default.conf" file, located at "/usr/share/doc/ninja/examples/" in the source tree. There, all the available options are explained in detail. WHITELIST
The whitelist is a plain text file, containing new-line separated entries. Entries consists of three fields, separated by colons. The first field is the full path to the executable you wish to whitelist. The second field is a comma separated list of groups that should be granted access to the executable. The third field is a comma separated list of users. <executable>:<groups>:<users> The second or third field can be left empty. Please refer to the example whitlist located in "/usr/share/doc/ninja/examples/". Remember that it is a good idea to whitelist programs such as passwd(1) and other regular setuid applications that users require access to. SECURITY
The goal of this application is to be able to detect and stop local, and possibly also remote exploits. It is important to note that ninja cannot prevent attackers from running exploits, as a successful exploitation only will be detected AFTER the attacker has gained root. How- ever, when ninja is running with a short scanning cycle, this detection happens nearly immediately. The security lies in the fact that we stop the attacker before he/she has time to do anything nasty to the system, and it gives us the opportunity to disable the attacker's shell access, and lock him/her out of the system. In an ideal environment, ninja should be run together with kernel hardening systems such as grsecurity (www.grsecurity.net) as this will allow for some protection of the ninja process. This is not a complete security system. Do not rely on it to keep your system safe. BUGS
Please let me know if you should stumble across any bugs or other weirdness. I greatly appreciate all bug reports, patches, ideas, sugges- tions and comments. LICENSE
Ninja is released under the General Public License (GPL) version 2 or higher. AUTHOR
Tom Rune Flo <tom@x86.no> August 2005 NINJA(8)
Check Out this Related Man Page
SYSUSERS.D(5) sysusers.d SYSUSERS.D(5) NAME
sysusers.d - Declarative allocation of system users and groups SYNOPSIS
/etc/sysusers.d/*.conf /run/sysusers.d/*.conf /usr/lib/sysusers.d/*.conf DESCRIPTION
systemd-sysusers uses the files from sysusers.d directory to create system users and groups at package installation or boot time. This tool may be used to allocate system users and groups only, it is not useful for creating non-system (i.e. regular, "human") users and groups, as it accesses /etc/passwd and /etc/group directly, bypassing any more complex user databases, for example any database involving NIS or LDAP. CONFIGURATION DIRECTORIES AND PRECEDENCE
Each configuration file shall be named in the style of package.conf or package-part.conf. The second variant should be used when it is desirable to make it easy to override just this part of configuration. Files in /etc/sysusers.d override files with the same name in /usr/lib/sysusers.d and /run/sysusers.d. Files in /run/sysusers.d override files with the same name in /usr/lib/sysusers.d. Packages should install their configuration files in /usr/lib/sysusers.d. Files in /etc/sysusers.d are reserved for the local administrator, who may use this logic to override the configuration files installed by vendor packages. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same path, the entry in the file with the lexicographically earliest name will be applied. All later entries for the same user and group names will be logged as warnings. If the administrator wants to disable a configuration file supplied by the vendor, the recommended way is to place a symlink to /dev/null in /etc/sysusers.d/ bearing the same filename. CONFIGURATION FILE FORMAT
The file format is one line per user or group containing name, ID, GECOS field description and home directory: #Type Name ID GECOS Home directory u httpd 440 "HTTP User" u authd /usr/bin/authd "Authorization user" g input - - m authd input u root 0 "Superuser" /root Empty lines and lines beginning with the "#" character are ignored, and may be used for commenting. Type The type consists of a single letter. The following line types are understood: u Create a system user and group of the specified name should they not exist yet. The user's primary group will be set to the group bearing the same name. The user's shell will be set to /sbin/nologin, the home directory to the specified home directory, or / if none is given. The account will be created disabled, so that logins are not allowed. g Create a system group of the specified name should it not exist yet. Note that u implicitly create a matching group. The group will be created with no password set. m Add a user to a group. If the user or group do not exist yet, they will be implicitly created. r Add a range of numeric UIDs/GIDs to the pool to allocate new UIDs and GIDs from. If no line of this type is specified, the range of UIDs/GIDs is set to some compiled-in default. Note that both UIDs and GIDs are allocated from the same pool, in order to ensure that users and groups of the same name are likely to carry the same numeric UID and GID. Name The name field specifies the user or group name. The specified name must consist only of the characters a-z, A-Z, 0-9, "_" and "-", except for the first character which must be one of a-z, A-Z or "_" (i.e. numbers and "-" are not permitted as first character). The user/group name must have at least one character, and at most 31. It is strongly recommended to pick user and group names that are unlikely to clash with normal users created by the administrator. A good scheme to guarantee this is by prefixing all system and group names with the underscore, and avoiding too generic names. For m lines, this field should contain the user name to add to a group. For lines of type r, this field should be set to "-". ID For u and g, the numeric 32-bit UID or GID of the user/group. Do not use IDs 65535 or 4294967295, as they have special placeholder meanings. Specify "-" for automatic UID/GID allocation for the user or group. Alternatively, specify an absolute path in the file system. In this case, the UID/GID is read from the path's owner/group. This is useful to create users whose UID/GID match the owners of pre-existing files (such as SUID or SGID binaries). The syntax "uid:gid" is also supported to allow creating user and group pairs with different numeric UID and GID values. The group with the indicated GID must get created explicitly before or it must already exist. For m lines, this field should contain the group name to add to a user to. For lines of type r, this field should be set to a UID/GID range in the format "FROM-TO", where both values are formatted as decimal ASCII numbers. Alternatively, a single UID/GID may be specified formatted as decimal ASCII numbers. GECOS A short, descriptive string for users to be created, enclosed in quotation marks. Note that this field may not contain colons. Only applies to lines of type u and should otherwise be left unset, or be set to "-". Home Directory The home directory for a new system user. If omitted, defaults to the root directory. It is recommended to not unnecessarily specify home directories for system users, unless software strictly requires one to be set. Only applies to lines of type u and should otherwise be left unset, or be set to "-". IDEMPOTENCE
Note that systemd-sysusers will do nothing if the specified users or groups already exist, so normally, there is no reason to override sysusers.d vendor configuration, except to block certain users or groups from being created. SEE ALSO
systemd(1), systemd-sysusers(8) systemd 237 SYSUSERS.D(5)