This program was made to detect Dirty Pipe exploitation attempts thanks to eBPF. It also monitors nonvulnerable kernels and docker containers.
🛫 If you want more details on how it works please read the blog post ! 🛬
Default execution:
sudo ./bin/dirtypipe_detection
Debug mode:
Show libbpf logs on execution
sudo ./bin/dirtypipe_detection --debug
Daemon mode:
Run program as daemon and send alerts over syslog
sudo ./bin/dirtypipe_detection --daemon
sudo apt install git make pkg-config libelf-dev clang-11 libc6-dev-i386 bpftool -y
git clone https://github.com/airbus-cert/dirtypipe-ebpf_detection
cd ./dirtypipe-ebpf_detection/src/
make
sudo apt install git make pkg-config libelf-dev clang-11 libc6-dev-i386 linux-tools-common linux-tools-$(uname -r) -y
git clone https://github.com/airbus-cert/dirtypipe-ebpf_detection
cd ./dirtypipe-ebpf_detection/src/
make
Read the original blog on Dirtypipe from [email protected]
Read an interesting strategy from Datadog team