dirtypipe-ebpf_detection -- Dirtypipe detection tool

This program was made to detect Dirty Pipe exploitation attempts thanks to eBPF. It also monitors nonvulnerable kernels and docker containers.

:flight_departure: If you want more details on how it works please read the blog post ! :flight_arrival:

How does it works?

Default execution:

sudo ./bin/dirtypipe_detection

Debug mode:

Show libbpf logs on execution

sudo ./bin/dirtypipe_detection --debug

Daemon mode:

Run program as daemon and send alerts over syslog

sudo ./bin/dirtypipe_detection --daemon

How to build?

Debian

sudo apt install git make pkg-config libelf-dev clang-11 libc6-dev-i386 bpftool -y
git clone https://github.com/airbus-cert/dirtypipe-ebpf_detection
cd ./dirtypipe-ebpf_detection/src/
make

Ubuntu

sudo apt install git make pkg-config libelf-dev clang-11 libc6-dev-i386 linux-tools-common linux-tools-$(uname -r) -y
git clone https://github.com/airbus-cert/dirtypipe-ebpf_detection
cd ./dirtypipe-ebpf_detection/src/
make

Credits and References

Read the original blog on Dirtypipe from [email protected]

Read an interesting strategy from Datadog team