Skip to content

suidsnoop is a tool based on eBPF LSM programs that logs whenever a suid binary is executed and implements custom allow/deny lists.

Notifications You must be signed in to change notification settings

willfindlay/suidsnoop

Repository files navigation

suidsnoop

Log suid binaries and enforce per-uid suid policy.

suidsnoop is a tool for logging whenever a suid binary is executed on your system and optionally enforcing a per-uid policy for suid binaries. suidnsoop is built using eBPF LSM programs and is written in pure Rust using the Aya library.

Prerequisites

  1. Install a rust stable toolchain: rustup install stable
  2. Install a rust nightly toolchain: rustup install nightly
  3. Install bpf-linker: cargo install bpf-linker

Build and Install

git clone https://github.com/willfindlay/suidsnoop && cd suidsnoop
make install

Make sure $HOME/.cargo/bin is in your $PATH!

Examples

Log all attempts to run suid binaries:

sudo suidsnoop

Allow uid 1000 and deny all others:

sudo suidsnoop -u 1000

Deny uid 1001 and allow all others:

sudo suidsnoop -U 1001

Do a dry run of a policy:

sudo suidsnoop -U 1001 -d

About

suidsnoop is a tool based on eBPF LSM programs that logs whenever a suid binary is executed and implements custom allow/deny lists.

Topics

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published