Skip to content
/ rootisnaked Public

Simple root privilege escalation detection using eBPF ๐Ÿ

License

GPL-3.0 license
12 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

containerscrew/rootisnaked

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

ย 

History

20 Commits
.github/workflows
.github/workflows
ย 
ย 
headers
headers
ย 
ย 
notifications
notifications
ย 
ย 
program
program
ย 
ย 
utils
utils
ย 
ย 
.gitignore
.gitignore
ย 
ย 
.goreleaser.yaml
.goreleaser.yaml
ย 
ย 
.pre-commit-config.yaml
.pre-commit-config.yaml
ย 
ย 
Dockerfile
Dockerfile
ย 
ย 
LICENSE
LICENSE
ย 
ย 
Makefile
Makefile
ย 
ย 
README.md
README.md
ย 
ย 
example.png
example.png
ย 
ย 
go.mod
go.mod
ย 
ย 
go.sum
go.sum
ย 
ย 
logo.png
logo.png
ย 
ย 
main.go
main.go
ย 
ย 

Repository files navigation

logo

rootisnaked

Simple root privilege escalation detection using eBPF

Go report card GitHub code size in bytes GitHub go.mod Go version

rootisnaked

Table of Contents generated with mtoc

example

[2025-02-01 19:16:16] INFO uid changed or capabilities changed for process new_caps=[CAP_NET_RAW CAP_SYS_MODULE ......] pid=206493 exe_path=/usr/bin/sudo cmd_line=sudo su -  user=dcr old_uid=1000 new_uid=0 old_caps=[CAP_NET_RAW CAP_SYS_MODULE .....]

Rootisnaked is a simple eBPF program designed to monitor changes in user credentials (specifically, the UID) on a Linux system. It hooks into the commit_creds kernel function, which is called when a process's credentials are updated. The program detects when a process's UID changes to 0 (root) and logs this event to a ring buffer for further analysis in user space. It can be used, for example, to detect possible Linux privilege escalation.

The eBPF program (kernel space) is written in C and compiled using cilium-ebpf library. The code in user space is entirely written in Go.

Caution

This is an introduction of eBPF. This tool probably does not cover all possible attack vectors for escalating privileges.

To extend this tool, you probably need to detect:

  • Gaining capabilities (CAP_SYS_ADMIN...): Right now it shows when the capabilities of a process change
  • Changing group IDS (gid): no timplemented
  • Manipulating file permissions (chmod, setuid...): not implemented
  • Track parent process ID (ppid) and process hierarchy: not implemented
  • Others

Running rootisnaked

Install system dependencies

Tested on debian12 with kernel version 6.1.0-30-amd64

  • Dependencies:
sudo apt install -y linux-headers-$(uname -r) gcc git make clang llvm libbpf-dev libbpf-tools bpftool bpftrace
  • Install Golang: https://go.dev/doc/install (Do not install Golang from the APT repository if using Debian, since it does not have the latest versions)

This page can be helpful https://ebpf-go.dev/guides/getting-started/#ebpf-c-program

Compile and run

make build-run GOARCH=amd64 # if using arm, GOARCH=arm64

Using docker

docker build -t rootisnaked/rootisnaked:latest .

eBPF code needs to be run under a privileged user.

docker run -it --rm --name rootisnaked --privileged rootisnaked/rootisnaked:latest

Simulate

sudo su -
sudo capsh --caps="cap_sys_admin+eip" -- -c "/path/to/some_process"

What's next?

  • Implement more features
  • Log too much verbose when capabilities changes
  • Send notifications to systray (notify-send)
  • Implement testing
  • Others

License

rootisnaked is distributed under the terms of the AGPL3 license.

About

Simple root privilege escalation detection using eBPF ๐Ÿ

Topics

go golang security linux-kernel ebpf privilege-escalation cilium-ebpf ebpf-go

Resources

Readme

License

GPL-3.0 license
Activity

Stars

12 stars

Watchers

1 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages