Log suid binaries and enforce per-uid suid policy.
suidsnoop
is a tool for logging whenever a suid binary is executed on your system and
optionally enforcing a per-uid policy for suid binaries. suidnsoop
is built using eBPF
LSM programs and is written in pure Rust using the Aya library.
- Install a rust stable toolchain:
rustup install stable
- Install a rust nightly toolchain:
rustup install nightly
- Install bpf-linker:
cargo install bpf-linker
git clone https://github.com/willfindlay/suidsnoop && cd suidsnoop
make install
Make sure $HOME/.cargo/bin
is in your $PATH
!
Log all attempts to run suid binaries:
sudo suidsnoop
Allow uid 1000 and deny all others:
sudo suidsnoop -u 1000
Deny uid 1001 and allow all others:
sudo suidsnoop -U 1001
Do a dry run of a policy:
sudo suidsnoop -U 1001 -d