{"id":24845835,"url":"https://github.com/containerscrew/rootisnaked","last_synced_at":"2025-04-12T14:13:18.907Z","repository":{"id":275029038,"uuid":"924804322","full_name":"containerscrew/rootisnaked","owner":"containerscrew","description":"Simple root privilege escalation detection using eBPF 🐝","archived":false,"fork":false,"pushed_at":"2025-02-02T13:29:59.000Z","size":1649,"stargazers_count":12,"open_issues_count":0,"forks_count":1,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-03-26T08:48:12.714Z","etag":null,"topics":["cilium-ebpf","ebpf","ebpf-go","go","golang","linux-kernel","privilege-escalation","security"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/containerscrew.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2025-01-30T17:21:32.000Z","updated_at":"2025-02-18T19:15:51.000Z","dependencies_parsed_at":null,"dependency_job_id":"a106a567-1129-4f38-ba6e-4ebd53d95c62","html_url":"https://github.com/containerscrew/rootisnaked","commit_stats":null,"previous_names":["containerscrew/rootisnaked"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/containerscrew%2Frootisnaked","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/containerscrew%2Frootisnaked/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/containerscrew%2Frootisnaked/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/containerscrew%2Frootisnaked/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/containerscrew","download_url":"https://codeload.github.com/containerscrew/rootisnaked/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248578863,"owners_count":21127713,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cilium-ebpf","ebpf","ebpf-go","go","golang","linux-kernel","privilege-escalation","security"],"created_at":"2025-01-31T10:16:46.312Z","updated_at":"2025-04-12T14:13:18.902Z","avatar_url":"https://github.com/containerscrew.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cp align=\"center\" \u003e\n    \u003cimg src=\"logo.png\" alt=\"logo\" width=\"250\"/\u003e\n\u003ch3 align=\"center\"\u003erootisnaked\u003c/h3\u003e\n\u003cp align=\"center\"\u003eSimple root privilege escalation detection using eBPF\u003c/p\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\" \u003e\n    \u003cimg alt=\"Go report card\" src=\"https://goreportcard.com/badge/github.com/containerscrew/rootisnaked\"\u003e\n    \u003cimg alt=\"GitHub code size in bytes\" src=\"https://img.shields.io/github/languages/code-size/containerscrew/rootisnaked\"\u003e\n    \u003cimg alt=\"GitHub go.mod Go version\" src=\"https://img.shields.io/github/go-mod/go-version/containerscrew/rootisnaked\"\u003e\n\u003c/p\u003e\n\n# rootisnaked\n\n\u003c!-- START OF TOC !DO NOT EDIT THIS CONTENT MANUALLY--\u003e\n**Table of Contents**  *generated with [mtoc](https://github.com/containerscrew/mtoc)*\n- [rootisnaked](#rootisnaked)\n- [Running `rootisnaked`](#running-rootisnaked)\n  - [Install system dependencies](#install-system-dependencies)\n  - [Compile and run](#compile-and-run)\n  - [Using docker](#using-docker)\n- [Simulate](#simulate)\n- [What's next?](#whats-next)\n- [License](#license)\n\u003c!-- END OF TOC --\u003e\n\n![example](example.png)\n\n```markdown\n[2025-02-01 19:16:16] INFO uid changed or capabilities changed for process new_caps=[CAP_NET_RAW CAP_SYS_MODULE ......] pid=206493 exe_path=/usr/bin/sudo cmd_line=sudo su -  user=dcr old_uid=1000 new_uid=0 old_caps=[CAP_NET_RAW CAP_SYS_MODULE .....]\n```\n\n`Rootisnaked` is a simple [eBPF](https://ebpf.io/) program designed to monitor changes in user credentials (specifically, the UID) on a Linux system. It hooks into the `commit_creds` kernel function, which is called when a process's credentials are updated. The program detects when a process's UID changes to 0 (root) and logs this event to a ring buffer for further analysis in user space.\nIt can be used, for example, to detect possible Linux privilege escalation.\n\n\u003e The eBPF program (kernel space) is written in C and compiled using [cilium-ebpf library](https://github.com/cilium/ebpf). The code in user space is entirely written in Go.\n\n\u003e [!CAUTION]\n\u003e This is an introduction of eBPF. This tool probably does not cover all possible attack vectors for escalating privileges.\n\nTo extend this tool, you probably need to detect:\n\n- Gaining capabilities (CAP_SYS_ADMIN...): Right now it shows when the capabilities of a process change\n- Changing group IDS (gid): no timplemented\n- Manipulating file permissions (`chmod`, `setuid`...): not implemented\n- Track parent process ID (ppid) and process hierarchy: not implemented\n- Others\n\n# Running `rootisnaked`\n\n## Install system dependencies\n\n\u003e Tested on `debian12` with kernel version `6.1.0-30-amd64`\n\n* Dependencies:\n\n```bash\nsudo apt install -y linux-headers-$(uname -r) gcc git make clang llvm libbpf-dev libbpf-tools bpftool bpftrace\n```\n\n* Install Golang: https://go.dev/doc/install (Do not install Golang from the APT repository if using Debian, since it does not have the latest versions)\n\n*This page can be helpful https://ebpf-go.dev/guides/getting-started/#ebpf-c-program*\n\n## Compile and run\n\n```bash\nmake build-run GOARCH=amd64 # if using arm, GOARCH=arm64\n```\n\n## Using docker\n\n```bash\ndocker build -t rootisnaked/rootisnaked:latest .\n```\n\n**eBPF code needs to be run under a privileged user.**\n\n```bash\ndocker run -it --rm --name rootisnaked --privileged rootisnaked/rootisnaked:latest\n```\n\n# Simulate\n\n```bash\nsudo su -\nsudo capsh --caps=\"cap_sys_admin+eip\" -- -c \"/path/to/some_process\"\n```\n\n# What's next?\n\n- Implement more features\n- Log too much verbose when capabilities changes\n- Send notifications to systray (notify-send)\n- Implement testing\n- Others\n\n# License\n\n**`rootisnaked`** is distributed under the terms of the [AGPL3](./LICENSE) license.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcontainerscrew%2Frootisnaked","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcontainerscrew%2Frootisnaked","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcontainerscrew%2Frootisnaked/lists"}