kunoichi 0.0.1

data/bin/kunoichi

@@ -0,0 +1,85 @@
+#!/usr/bin/env ruby
+
+require 'kunoichi'
+
+# Hash for commandline flags that override configuration
+@override_config = Hash.new
+
+# Default configuration placement
+@conf_files = [ 'config.yml', '/etc/kunoichi/config.yml' ]
+
+begin
+  opts = GetoptLong.new(
+    [ '--config-file', '-c', GetoptLong::REQUIRED_ARGUMENT ],
+    [ '--help', '-h', GetoptLong::NO_ARGUMENT ],
+    [ '--dry_run', '-n', GetoptLong::NO_ARGUMENT ],
+    [ '--import', '-i', GetoptLong::REQUIRED_ARGUMENT ],
+    [ '--generate-config', '-g', GetoptLong::OPTIONAL_ARGUMENT ],
+    [ '--debug', '-d', GetoptLong::NO_ARGUMENT ],
+    [ '--pid-file', '-p', GetoptLong::REQUIRED_ARGUMENT ]
+  )
+rescue => e
+  puts e.message
+  exit
+end
+
+begin
+  opts.each do |opt, arg|
+    case opt
+      when '--help'
+        help
+      when '--config-file'
+        @conf_files = [ arg ]
+      when '--dry-run'
+        @override_config['no_kill'] = true
+        @override_config['no_kill_ppid'] = true
+      when '--debug'
+        @override_config['daemon'] = false
+        @override_config['syslog'] = false
+        @override_config['logfile'] = false
+        @override_config['debug'] = true
+      when '--pid-file'
+        @override_config['pidfile'] = arg
+      when '--import'
+        puts import_conf arg
+        exit
+      when '--generate-config'
+        if arg.empty?
+          generate_conf 'config.yml'
+        else
+          generate_conf arg
+        end
+        exit
+    end
+  end
+rescue
+  exit
+end
+
+# Attempt to include each configuration file 
+@conf_files.each do |file|
+  next unless File.readable? file
+  include_conf file
+  break
+end
+
+# If we're done attempting ad have no @config it means none could be loaded
+unless @config.is_a? Hash
+  puts 'Could not find any configuration files. Tried to load: ' + @conf_files.to_s
+  exit
+end
+
+# Handle commandline overrides in configuration
+[ 'debug', 'no_kill', 'no_kill_ppid', 'daemon', 'syslog', 'logfile', 'pidfile' ].each do |flag|
+  unless @override_config[flag].nil?
+    @config[flag] = @override_config[flag]
+  end
+end
+
+# Start kunoichi
+begin
+  Kunoichi::Daemon.new @config
+rescue => e
+  puts 'Cannot start kunoichi: ' + e.message
+  puts e.backtrace if @config['debug']
+end

data/lib/extensions/object.rb

@@ -0,0 +1,9 @@
+
+# Syntax sugar
+
+class Object
+  # Provide is_bool? to all objects
+  def is_bool?
+    [ true, false ].include? self
+  end
+end

data/lib/kunoichi.rb

@@ -0,0 +1,38 @@
+require 'set'
+require 'etc'
+require 'yaml'
+require 'logger'
+require 'syslog-logger'
+require 'getoptlong'
+
+module Kunoichi
+  DEFAULTS = {
+    'group'              => 0,
+    'daemon'             => true,
+    'syslog'             => true,
+    'interval'           => 1,
+    'logfile'            => '/var/log/kunoichi.log',
+    'pidfile'            => '/var/run/kunoichi.pid',
+    'whitelist'          => '/etc/kunoichi/whitelist.txt',
+    'external_command'   => '/bin/true',
+    'no_kill'            => true,
+    'no_kill_ppid'       => true,
+    'ignore_root_procs'  => true,
+    'log_whitelist'      => true,
+    'require_init_wlist' => false,
+    'proc_scan_offset'   => 0,
+  }
+
+  CONFIGURATION_HEADER = '## Kunoichi configuration file.
+# Same options as ninja.
+# Check the documentation to know what each option means.
+# Documentation can be found on the project home page on github, 
+#  or in README.md bundled with Kunoichi.
+'
+
+end
+
+require 'extensions/object'
+require 'kunoichi/proctable'
+require 'kunoichi/kunoichi'
+require 'kunoichi/cli'

data/lib/kunoichi/cli.rb

@@ -0,0 +1,99 @@
+# Show help
+def help
+  puts "Usage: #{$0} [options]"
+  puts "Options:"
+  puts "\t-h|--help\t\tThis help"
+  puts "\t-d|--debug\t\tDon't run in daemon mode"
+  puts "\t-n|--dry-run\t\tPerform no actions"
+  puts "\t-c|--config-file\tConfiguration file path.\n\t\t\t\t(defaults: config.rb, /etc/kunoichi/config.rb)"
+  puts "\t-i|--import\t\tImport configuration from ninja and writes to stdout."
+  puts "\t-g|--generate-config\tGenerate sample configuration file"
+  puts "\t-p|--pid-file\t\tPid file path"
+  exit
+end
+
+# Try to include yaml configuration
+def include_conf(file)
+  begin
+    raise 'empty file' unless @config = YAML.load_file(file)
+  rescue => e
+    puts "Cannot load configuration: #{e.message}"
+    exit
+  end
+end
+
+# Parse a ninja configuration file and return kunoichi yaml configuration
+def import_conf(file)
+
+  # Try to open the file
+  begin
+    ninja = File.read(file)
+  rescue => e
+    puts 'Cannot open ninja configuration file: ' + e.message
+    exit
+  end
+
+  # Initialize parsed old configuration and new configuration hashes
+  oldconf = {}
+  newconf = {}
+
+  # Transform ninja configuration, comments excluded, in a ruby hash
+  ninja.lines.grep(/^[^#\n].* = /).each do |x|
+    key=x.split('=')[0].strip!
+    value=x.split('=')[1].strip!
+    oldconf[key] = value
+  end
+
+  # For each of the values that kunoichi understands
+  Kunoichi::DEFAULTS.keys.each do |x|
+    # If it was not declared, return the default value
+    if oldconf[x].nil? then
+      newconf[x] = Kunoichi::DEFAULTS[x]
+    else
+      # If there was the setting, turn yes/no/(null) into booleans
+      case oldconf[x]
+        when 'yes'
+          newconf[x] = true
+        when 'no', '(null)'
+          newconf[x] = false
+        else
+          # Since all values are strings, turn to integer those that require it
+          if [ 'group', 'interval', 'proc_scan_offset' ].include? x
+            newconf[x] = oldconf[x].to_i
+          else
+            # Save the old value
+            newconf[x] = oldconf[x]
+          end
+      end
+    end
+  end
+
+  # Return the newly filled hash in yaml format, preceded by some useful comments.
+  return Kunoichi::CONFIGURATION_HEADER + newconf.to_yaml
+end
+  
+# Generate a configuration file, starting from defaults
+def generate_conf(file)
+  # Take care not to overwrite the configuration by mistake
+  if File.exist? file
+    puts "File #{file} already existing."
+    return
+  end
+  begin
+    conf = File.open(file,'w+')
+  rescue => e
+    puts "Error creating file: #{e.message}"
+    return
+  end
+  begin
+    # Write some useful comments, and the defaults dump in yaml
+    conf.write Kunoichi::CONFIGURATION_HEADER +
+               Kunoichi::DEFAULTS.to_yaml
+  rescue => e
+    puts "Error writing to file: #{e.message}"
+    return
+  end
+  puts "Sample configuration written to #{file}."
+  conf.close
+  exit
+end

data/lib/kunoichi/kunoichi.rb

@@ -0,0 +1,300 @@
+module Kunoichi
+  # The main class, where all the dirty work happens
+  class Daemon
+
+    # Basic validator for configuration
+    def validate_conf(config)
+
+      # Base check, might be redundant
+      raise 'invalid configuration passed: not an hash' unless config.is_a? Hash
+      
+      # Check for group validity
+      raise 'invalid group: not a number' unless config['group'].is_a? Fixnum
+      # Make sure the group exists on /etc/group
+      begin
+        Etc::getgrgid config['group']
+      rescue => e
+        raise "invalid group: #{e.message}"
+      end
+
+      # Check for daemon validity
+      raise 'invalid daemon setting: please set to true or false' unless config['daemon'].is_bool?
+      
+      # Check interval
+      raise 'invalid interval: please set to a number' unless config['interval'].is_a? Fixnum or config['interval'].is_a? Float
+      # Useful warning in case no interval was declared
+      puts 'WARNING: an interval of 0 can severely impact your machine performance. Use with caution.' if config['interval'] == 0
+
+      # Check syslog
+      raise 'invalid value for syslog: please set to true or false' unless config['syslog'].is_bool?
+
+      # Check logfile
+      raise 'set either syslog or logfile if daemon mode is enabled' unless config['syslog'] or config['logfile'].is_a? String or !config['daemon']
+      raise 'invalid logfile setting: not writable' unless !config['logfile'] or File.writable? config['logfile'] or File.writable? File.dirname(config['logfile'])
+      
+      # Check whitelist
+      raise 'invalid whitelist: set to a file path, or false to disable' unless config['whitelist'] == false or config['whitelist'].is_a? String
+      raise "invalid whitelist: cannot open #{config['whitelist']}" unless config['whitelist'] == false or File.readable?(config['whitelist']) 
+
+      # Check external_command
+      raise 'invalid external_command: set to a file path, or false to disable' unless config['external_command'].is_a? String or config['external_command'] == false
+      raise 'invalid external_command: not executable' unless !config['external_command'] or File.executable?(config['external_command'].split[0])
+
+      # Check no_kill
+      raise 'invalid no_kill: set to true or false' unless config['no_kill'].is_bool?
+
+      # Check no_kill_ppid
+      raise 'invalid no_kill_ppid: set to true or false' unless config['no_kill_ppid'].is_bool?
+
+      # Check ignore_root_procs
+      raise 'invalid ignore_root_procs: set to true or false' unless config['ignore_root_procs'].is_bool?
+
+      # Check log_whitelist
+      raise 'invalid log_whitelist: set to true or false' unless config['log_whitelist'].is_bool?
+
+      # Check require_init_wlist
+      raise 'invalid require_init_wlist: set to true or false' unless config['require_init_wlist'].is_bool?
+
+      # Check proc_scan_offset
+      raise 'invalid proc_scan_offset: set to a number' unless config['proc_scan_offset'].is_a? Fixnum
+      raise "invalid proc_scan_offset: set lower than #{@max_pids}" unless config['proc_scan_offset'] < @max_pids
+
+      # Check pidfile
+      raise 'invalid pidfile setting: set to a string' unless config['pidfile'].is_a? String
+      raise 'invalid pidfile setting: empty' if config['pidfile'].empty?
+      raise 'invalid pidfile setting: not writable' unless File.writable? config['pidfile'] or File.writable? File.dirname(config['pidfile'])
+
+      # Return the configuration if no errors encountered
+      config
+    end
+
+    # Exit cleanly by logging our departure and deleting the pid file if we received a signal
+    def clean_exit(sig)
+      @log.info "Got SIG#{sig}, exiting."
+      File.unlink(@config['pidfile']) if @config['daemon'] and @config['pidfile']
+      exit
+    end
+
+    # Fetch the current running processes and put them into a ruby set
+    # TODO: make this multi platform
+    def get_process_list
+      # Initialize the set
+      entries = Set.new
+      # Look up all pids
+      Dir.glob('/proc/[0-9]*') { |x|
+        # Turn pids to numbers
+        pid = File.basename(x).to_i
+        # Formal check for unexpected files on /proc starting with a digit
+        next unless pid.to_s =~ /^[0-9]+$/
+        # Skip processes above the configured offset
+        if pid > @config['proc_scan_offset']
+          entries.add pid
+        end
+      }
+
+      return entries
+    end
+
+    # Load the whitelist
+    def load_whitelist(file)
+      # Open the file and read all words from lines that don't start with a #
+      begin
+        @whitelist = File.read(file).lines.grep(/^[^#]/).join.split
+      rescue => e
+        puts "Cannot load whitelist: #{e.message}"
+        exit
+      end
+      # Warn the user of the whitelist was loaded but found empty
+      if @whitelist.empty? 
+        puts 'WARNING: Empty whitelist loaded.'
+      end
+    end
+
+    # Run the external command
+    def run_command(process,parent)
+
+      # Log our action
+      @log.info "Running external command: #{@config['external_command']}."
+
+      # Prepare the environment with some useful informations
+      ENV['EVIL_PID'] = process.pid.to_s
+      ENV['EVIL_CMD'] = process.cmdline
+      ENV['EVIL_NAME'] = process.name
+      ENV['EVIL_BIN'] = process.binary
+
+      ENV['EVIL_PPID'] = parent.pid.to_s
+      ENV['EVIL_PCMD'] = parent.cmdline
+      ENV['EVIL_PNAME'] = parent.name
+      ENV['EVIL_PBIN'] = parent.binary
+
+      # Launch the command
+      system(@config['external_command'])
+    end
+
+    # Daemon startup procedure
+    def initialize(config)
+      # Check max pids first
+      if RUBY_PLATFORM.downcase =~ /linux/
+        begin
+          @max_pids = File.read('/proc/sys/kernel/pid_max').to_i
+        rescue
+          raise 'Cannot read /proc/sys/kernel/pid_max (is /proc mounted?)'
+        end
+      else
+        # Default on newer FreeBSD. Solaris should have a cap of 30000.
+        # Makes only sense once get_process_list becomes multi-platform, but nice to have.
+        @max_pids = 99999
+      end
+
+      # Validate configuration and store if valid
+      @config = validate_conf config
+
+      # Save the full path to the pid file in @config
+      @config['pidfile'] = File.expand_path(@config['pidfile'])
+
+      # Get initial process list at startup
+      @initial_procs = get_process_list
+      raise 'No processes found (is /proc mounted?)' if @initial_procs.empty?
+
+      # Load the whitelist
+      load_whitelist @config['whitelist'] if @config['whitelist']
+
+      # Initialize @log as configured
+      if @config['syslog']
+        @log = Logger::Syslog.new('kunoichi', Syslog::LOG_DAEMON)
+      else
+        if @config['daemon'] 
+          @log = Logger.new(@config['logfile'])
+        else
+          @log = Logger.new(STDOUT)
+        end
+      end
+
+      # Enable debug info if running in debug mode, keep it quiet otherwise
+      if @config['debug']
+        @log.level = Logger::DEBUG
+      else
+        @log.level = Logger::INFO
+      end
+
+      @log.info 'Kunoichi starting up'
+
+      # Daemonize if we're configured for it
+      if @config['daemon']
+        Process.daemon
+        # Only write the pid file if we're running as daemon
+        if @config['pidfile']
+          begin
+            File.open(@config['pidfile'], 'w+') { |x| x.write Process.pid.to_s }
+          rescue => e
+            @log.error e.message
+          end
+        end
+      end
+
+      # Catch SIGINT (^C) and SIGTERM (default kill)
+      [ 'INT', 'TERM' ].each do |signal|
+        Signal.trap signal do clean_exit signal end
+      end
+
+      # Finally, enter the main loop
+      loop do 
+        main_loop
+        sleep @config['interval']
+      end
+    end
+
+    # Main loop
+    def main_loop
+      @log.debug 'Checking processes:'
+      # Get running processes
+      procs = get_process_list
+      # Extract the new processes since last loop cycle
+      new_procs = procs - @initial_procs
+
+      # Skip the run if there are new processes
+      (@log.debug "\tNo new processes found."; return) if new_procs.empty?
+
+      @log.debug "\tNew processes:"
+
+      # For each new process:
+      new_procs.each do |pid|
+        # Extract information
+        begin
+          process = ProcEntry.new(pid)
+        rescue
+          # Skip if the process died before we could extract the info
+          @log.debug "\t\t#{pid} - Disappeared before analysis"
+          next
+        end
+        @log.debug "\t\t#{pid} - #{process.cmdline}"
+         
+        # If the process runs as root
+        if process.uid == 0 
+
+          # Attempt to identify the parent
+          begin
+            parent = ProcEntry.new(process.parent)
+          rescue => e
+            @log.warn "\t\tParent process of #{process.name} disappeared (#{e.message})."
+            next
+          end
+
+          # Skip if the parent has the whitelisted gid
+          next if parent.gid == @config['group']
+
+          # If the parent is root
+          if parent.uid == 0 
+            # ..and we've chosen to ignore root spawned processes
+            if @config['ignore_root_procs'] or parent.gid == @config['group']
+              # if the parent is init
+              if parent.pid == 1
+                # spare the process unless configured otherwise
+                unless @config['require_init_wlist']
+                  next
+                end
+              # if the parent is not init everything is normal, just skip this one
+              else
+                next
+              end
+            end
+          else
+            # Also skip if the parent is not root, but is in the magic gid
+            next if parent.gid == @config['group']
+          end
+
+          # Log our finding
+          @log.info "\t\tFound offending process: #{pid} - #{process.cmdline}"
+
+          # Skip if the executable is whitelisted
+          if @config['whitelist'] and @whitelist.include? process.binary
+            @log.info "\t\t\tAllowed(#{process.binary})." if @config['log_whitelist']
+            next
+          end
+          
+          # If we got this far it means the process deserves our attention
+
+          # Terminate the process unless configured otherwise
+          unless @config['no_kill'] 
+            @log.info "\t\t\tTerminating."
+            Process.kill(:KILL,pid)
+          else
+            @log.info "\t\t\tNot killing."
+          end
+
+          # Also kill the parent unless configured otherwise (or the parent is init)
+          unless process.parent == 1 or @config['no_kill_ppid'] 
+            @log.info "\t\t\tKilling parent too."
+            Process.kill(:KILL,process.parent) 
+          end
+
+          # Run the external command in a subprocess
+          fork { run_command(process,parent) } if @config['external_command'] 
+        end
+      end
+
+      # Save the current process list for the next run
+      @initial_procs = procs
+    end
+  end
+end

data/lib/kunoichi/proctable.rb

@@ -0,0 +1,23 @@
+# Accessory class to access informations about a process
+class ProcEntry
+
+  attr_accessor :pid, :cmdline, :name, :binary, :uid, :gid, :parent
+
+  # Fetch all the values when the object is created
+  def initialize(pid)
+    raise 'invalid pid: not a number' unless pid.is_a? Fixnum
+    pids = pid.to_s
+    raise 'invalid pid: not running' unless File.directory? "/proc/#{pids}"
+    begin
+      @pid = pid
+      @cmdline = File.read("/proc/#{pids}/cmdline").gsub("\0", ' ')
+      @name = @cmdline.split[0]
+      @uid = File.stat("/proc/#{pids}/").uid
+      @gid = File.stat("/proc/#{pids}/").gid
+      @binary = File.readlink("/proc/#{pids}/exe")
+      @parent = File.readlines("/proc/#{pids}/status").grep(/^PPid:/).first.split[1].to_i
+    rescue => e
+      raise "can't get process info: #{e.message}"
+    end
+  end
+end

metadata

@@ -0,0 +1,84 @@
+--- !ruby/object:Gem::Specification
+name: kunoichi
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+  prerelease: 
+platform: ruby
+authors:
+- Alessandro Grassi
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2013-01-03 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: logger
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 1.2.8
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 1.2.8
+- !ruby/object:Gem::Dependency
+  name: syslog-logger
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 1.6.8
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 1.6.8
+description: A Ruby rewrite of Tom Rune Flo's Ninja, a privilege escalation monitor.
+email:
+- alessandro@aggro.it
+executables:
+- kunoichi
+extensions: []
+extra_rdoc_files: []
+files:
+- lib/extensions/object.rb
+- lib/kunoichi.rb
+- lib/kunoichi/cli.rb
+- lib/kunoichi/kunoichi.rb
+- lib/kunoichi/proctable.rb
+- bin/kunoichi
+homepage: https://github.com/xstasi/kunoichi
+licenses: []
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 1.8.24
+signing_key: 
+specification_version: 3
+summary: Process privilege escalation monitor
+test_files: []