Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/willfindlay/suidsnoop

suidsnoop is a tool based on eBPF LSM programs that logs whenever a suid binary is executed and implements custom allow/deny lists.
https://github.com/willfindlay/suidsnoop

aya ebpf linux linux-kernel lsm rust security suid-binaries

Last synced: about 1 month ago
JSON representation

suidsnoop is a tool based on eBPF LSM programs that logs whenever a suid binary is executed and implements custom allow/deny lists.

Awesome Lists containing this project

README

        

# suidsnoop

> Log suid binaries and enforce per-uid suid policy.

`suidsnoop` is a tool for logging whenever a suid binary is executed on your system and
optionally enforcing a per-uid policy for suid binaries. `suidnsoop` is built using eBPF
LSM programs and is written in pure Rust using the [Aya][aya] library.

[aya]: https://github.com/aya-rs/aya

## Prerequisites

1. Install a rust stable toolchain: `rustup install stable`
1. Install a rust nightly toolchain: `rustup install nightly`
1. Install bpf-linker: `cargo install bpf-linker`

## Build and Install

```bash
git clone https://github.com/willfindlay/suidsnoop && cd suidsnoop
make install
```

Make sure `$HOME/.cargo/bin` is in your `$PATH`!

## Examples

Log all attempts to run suid binaries:
```bash
sudo suidsnoop
```

Allow uid 1000 and deny all others:
```bash
sudo suidsnoop -u 1000
```

Deny uid 1001 and allow all others:
```bash
sudo suidsnoop -U 1001
```

Do a dry run of a policy:
```bash
sudo suidsnoop -U 1001 -d
```