suidsnoop

Log suid binaries and enforce per-uid suid policy.

suidsnoop is a tool for logging whenever a suid binary is executed on your system and optionally enforcing a per-uid policy for suid binaries. suidnsoop is built using eBPF LSM programs and is written in pure Rust using the Aya library.

Prerequisites

Install a rust stable toolchain: rustup install stable
Install a rust nightly toolchain: rustup install nightly
Install bpf-linker: cargo install bpf-linker

Build and Install

git clone https://github.com/willfindlay/suidsnoop && cd suidsnoop
make install

Make sure $HOME/.cargo/bin is in your $PATH!

Examples

Log all attempts to run suid binaries:

sudo suidsnoop

Allow uid 1000 and deny all others:

sudo suidsnoop -u 1000

Deny uid 1001 and allow all others:

sudo suidsnoop -U 1001

Do a dry run of a policy:

sudo suidsnoop -U 1001 -d

Name		Name	Last commit message	Last commit date
Latest commit History 8 Commits
.cargo		.cargo
.vim		.vim
.vscode		.vscode
suidsnoop-common		suidsnoop-common
suidsnoop-ebpf		suidsnoop-ebpf
suidsnoop		suidsnoop
xtask		xtask
.gitignore		.gitignore
Cargo.toml		Cargo.toml
Makefile		Makefile
README.md		README.md
rustfmt.toml		rustfmt.toml

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Uh oh!

Repository files navigation

suidsnoop

Prerequisites

Build and Install

Examples

About

Uh oh!

Releases

Packages

Uh oh!

Languages

Uh oh!

Uh oh!

willfindlay/suidsnoop

Folders and files

Latest commit

History

Repository files navigation

suidsnoop

Prerequisites

Build and Install

Examples

About

Topics

Resources

Uh oh!

Stars

Watchers

Forks

Releases

Packages 0

Uh oh!

Languages

Packages