Log suid binaries and enforce per-uid suid policy.
suidsnoop is a tool for logging whenever a suid binary is executed on your system and optionally enforcing a per-uid policy for suid binaries.
suidnsoop is built using eBPF LSM programs and is written in pure Rust using the Aya library.
- Install a rust stable toolchain:
rustup install stable
- Install a rust nightly toolchain:
rustup install nightly
- Install bpf-linker:
cargo install bpf-linker
Build and Install
git clone https://github.com/willfindlay/suidsnoop && cd suidsnoop
$HOME/.cargo/bin is in your
Log all attempts to run suid binaries:
Allow uid 1000 and deny all others:
sudo suidsnoop -u 1000
Deny uid 1001 and allow all others:
sudo suidsnoop -U 1001
Do a dry run of a policy:
sudo suidsnoop -U 1001 -d