Merged
Conversation
Debian 12 bookworm, x86_64, GNOME desktop, systemd, Docker Compose v2. Clarify this is for developer workstations, not headless servers.
Processes holding /dev/uinput fds can create virtual input devices to inject keystrokes or clone-and-grab real keyboards for interception. Scans all process fds for /dev/uinput with an allowlist for legitimate input remappers (keyd, kanata, kmonad, xremap, etc).
Three complementary checks for root activity that should not normally exist on a developer workstation: - utmp/who: catches root logged in via TTY or SSH - loginctl: catches root sessions on systemd (including graphical seats) - /proc scan: catches UID 0 processes with a controlling terminal (root shells spawned via su/sudo -i that don't create utmp entries) Decodes TTY device numbers to human-readable pts/ttyN names.
- PATROL.md: update users module description to include active root session checks, add root sessions and /dev/uinput access to high-priority change list - C2.md: add /dev/uinput to credential theft correlation pattern, add active root session to privilege escalation pattern, add new root compromise correlation pattern (no watch signal required)
Add /dev/uinput reader detection (2.3a) under process-level hiding. Add new section 10a for active root session detection covering utmp/who, loginctl, and /proc UID 0 + TTY scanning.
Seed a root process with a controlling terminal (via script(1) pty allocation) so sread users can detect UID 0 + TTY. Skip /dev/uinput test as it requires the kernel device node. All 35 tests pass, 0 failures.
grep -v returns exit 1 when no lines match (e.g. sudoers.d/README is all comments). Under set -eo pipefail this kills the entire script before the new active root session checks can run.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
/dev/uinputto detect virtual input injection (keystroke interception via clone-and-grab). Allowlists legitimate input remappers (keyd, kanata, kmonad, xremap, etc).Test plan
docker compose --profile test run --rm secy-test-- 35 passed, 0 failed, 5 skippedsread spyprocon host with keyd/kanata running -- verify allowlist suppresses false positivessread usersaftersudo -i-- verify root shell is detected with correct pts/Nsread usersnormally -- verify no false positives on a clean system