https://github.com/willfindlay/suidsnoop

suidsnoop is a tool based on eBPF LSM programs that logs whenever a suid binary is executed and implements custom allow/deny lists.
https://github.com/willfindlay/suidsnoop

aya ebpf linux linux-kernel lsm rust security suid-binaries

Last synced: 3 months ago
JSON representation

suidsnoop is a tool based on eBPF LSM programs that logs whenever a suid binary is executed and implements custom allow/deny lists.

• Host: GitHub
• URL: https://github.com/willfindlay/suidsnoop
• Owner: willfindlay
• Created: 2021-10-31T14:14:28.000Z (about 3 years ago)
• Default Branch: main
• Last Pushed: 2021-10-31T23:15:09.000Z (about 3 years ago)
• Last Synced: 2024-04-23T19:21:52.474Z (7 months ago)
• Topics: aya, ebpf, linux, linux-kernel, lsm, rust, security, suid-binaries
• Language: Rust
• Homepage:
• Size: 175 KB
• Stars: 13
• Watchers: 3
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

        
# suidsnoop

> Log suid binaries and enforce per-uid suid policy.

`suidsnoop` is a tool for logging whenever a suid binary is executed on your system and

optionally enforcing a per-uid policy for suid binaries. `suidnsoop` is built using eBPF

LSM programs and is written in pure Rust using the [Aya][aya] library.

[aya]: https://github.com/aya-rs/aya

## Prerequisites

1. Install a rust stable toolchain: `rustup install stable`

1. Install a rust nightly toolchain: `rustup install nightly`

1. Install bpf-linker: `cargo install bpf-linker`

## Build and Install

```bash

git clone https://github.com/willfindlay/suidsnoop && cd suidsnoop

make install

```

Make sure `$HOME/.cargo/bin` is in your `$PATH`!

## Examples

Log all attempts to run suid binaries:

```bash

sudo suidsnoop

```

Allow uid 1000 and deny all others:

```bash

sudo suidsnoop -u 1000

```

Deny uid 1001 and allow all others:

```bash

sudo suidsnoop -U 1001

```

Do a dry run of a policy:

```bash

sudo suidsnoop -U 1001 -d

```