rootisnaked

command module
v0.0.0-...-e437218 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 2, 2025 License: GPL-3.0 Imports: 4 Imported by: 0

README

logo

rootisnaked

Simple root privilege escalation detection using eBPF

Go report card GitHub code size in bytes GitHub go.mod Go version

rootisnaked

Table of Contents generated with mtoc

example

[2025-02-01 19:16:16] INFO uid changed or capabilities changed for process new_caps=[CAP_NET_RAW CAP_SYS_MODULE ......] pid=206493 exe_path=/usr/bin/sudo cmd_line=sudo su -  user=dcr old_uid=1000 new_uid=0 old_caps=[CAP_NET_RAW CAP_SYS_MODULE .....]

Rootisnaked is a simple eBPF program designed to monitor changes in user credentials (specifically, the UID) on a Linux system. It hooks into the commit_creds kernel function, which is called when a process's credentials are updated. The program detects when a process's UID changes to 0 (root) and logs this event to a ring buffer for further analysis in user space. It can be used, for example, to detect possible Linux privilege escalation.

The eBPF program (kernel space) is written in C and compiled using cilium-ebpf library. The code in user space is entirely written in Go.

[!CAUTION] This is an introduction of eBPF. This tool probably does not cover all possible attack vectors for escalating privileges.

To extend this tool, you probably need to detect:

  • Gaining capabilities (CAP_SYS_ADMIN...): Right now it shows when the capabilities of a process change
  • Changing group IDS (gid): no timplemented
  • Manipulating file permissions (chmod, setuid...): not implemented
  • Track parent process ID (ppid) and process hierarchy: not implemented
  • Others

Running rootisnaked

Install system dependencies

Tested on debian12 with kernel version 6.1.0-30-amd64

  • Dependencies:
sudo apt install -y linux-headers-$(uname -r) gcc git make clang llvm libbpf-dev libbpf-tools bpftool bpftrace
  • Install Golang: https://go.dev/doc/install (Do not install Golang from the APT repository if using Debian, since it does not have the latest versions)

This page can be helpful https://ebpf-go.dev/guides/getting-started/#ebpf-c-program

Compile and run

make build-run GOARCH=amd64 # if using arm, GOARCH=arm64

Using docker

docker build -t rootisnaked/rootisnaked:latest .

eBPF code needs to be run under a privileged user.

docker run -it --rm --name rootisnaked --privileged rootisnaked/rootisnaked:latest

Simulate

sudo su -
sudo capsh --caps="cap_sys_admin+eip" -- -c "/path/to/some_process"

What's next?

  • Implement more features
  • Log too much verbose when capabilities changes
  • Send notifications to systray (notify-send)
  • Implement testing
  • Others

License

rootisnaked is distributed under the terms of the AGPL3 license.

Documentation

The Go Gopher

There is no documentation for this package.

Source Files

View all Source files

Directories

Path Synopsis
program
commit_creds
file_perm

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.