rootisnaked

Simple root privilege escalation detection using eBPF

---

Rootisnaked was initially created using ebpf-go. The project actually uses libbpf (kernel and user space code written entirely in C). You can find the initial version here. There is no reason to use C instead of Go in the user space, it's a personal preference to practice C and libbpf.

rootisnaked

Rootisnaked is a simple eBPF program designed to monitor changes in user credentials (specifically, the UID) on a Linux system. It hooks into the commit_creds kernel function, which is called when a process's credentials are updated. The program detects when a process's UID changes to 0 (root) and logs this event to a ring buffer for further analysis in user space. It can be used, for example, to detect possible Linux privilege escalation.

Caution

This is an introduction of eBPF. This tool DOES NOT cover all possible attack vectors for escalating privileges.

---

2025-09-24 11:06:30 [INFO]: Starting rootisnaked
2025-09-24 11:06:30 [INFO]: eBPF program loaded and attached. Waiting for commit_creds_events...
2025-09-24 11:06:33 [INFO]: event=file_perm, pid=35890, user=root, uid=0, comm=chmod, mode=777, filename=/etc/test, hostname=arch
2025-09-24 11:06:41 [INFO]: event=commit_creds, user=dcr, tgid=36064, old_uid=1000, new_uid=0, cmdline=sudo su - , executable_path=/usr/bin/sudo, hostname=arch

Alerting using alertmanager and telegram

Running rootisnaked

Install system dependencies (Ubuntu)

sudo apt install -y linux-headers-$(uname -r) vim gcc make clang libbpf-dev curl clang-format libcurl4-openssl-dev build-essential libelf-dev

Tested on Arch Linux with kernel version 6.16.5-arch1-1 and Ubuntu 24.04 with kernel version 6.2.0-26-generic.

Optional: Setup alertmanager for centralized alerting (via telegram)

cp docker/.env.example docker/.env
# Edit docker/.env and set TELEGRAM_BOT_TOKEN and TELEGRAM_CHAT_ID
set -a; source docker/.env; set +a
envsubst < docker/alertmanager/alertmanager.yml.tpl > docker/alertmanager/alertmanager.yml
docker-compose -f docker/compose.yml up -d

Compile and run

make # Using all available threads
# Or with only 1 thread
# make -j1
# make -j4 # Using 4 threads
DEBUG=false ALERTS=true sudo -E ./bin/rootisnaked
# Or alerts disabled
DEBUG=false ALERTS=false sudo -E ./bin/rootisnaked

The url of alertmanager is harcoded to http://localhost:9093 by the moment.

Using docker

sudo docker build -f docker/Dockerfile -t containerscrew/rootisnaked:latest .

eBPF code needs to be run under a privileged user or giving capabilities and mounting some required filesystems (proc,sys...)

sudo podman run -itd --restart always --name rootisnaked --privileged \
  -v /proc:/proc:ro \
  -v /sys:/sys:ro \
  -e DEBUG=false \
  -e ALERTS=false \
  containerscrew/rootisnaked:latest

Using sudo because I use podman rootless

Using the script scripts/install.sh and systemd service

By the moment I didn´t create any package (deb, rpm...) so I created a simple script to install and setup a systemd service to run rootisnaked on boot.

./scripts/install.sh

This script will create a systemd service to run rootisnaked (systemctl status rootisnaked)

License

rootisnaked is distributed under the terms of the GPL3 and MIT license.