What happened

The system file {{ @file.path }} was modified by the process {{ @process.comm }}.

Goal

Detect modifications of critical system binaries.

Strategy

PCI-DSS is the payment-card industry’s compliance framework. Any systems that handle credit card data and transactions from the major credit card companies must be PCI-DSS compliance. Control 11.5 of the PCI-DSS framework states that organizations must “alert personnel to unauthorized modifications (including changes, additions, and deletions) of critical system files, configuration files, or content files”. On Linux, critical system binaries are typically stored in /bin/, /sbin/, or /usr/sbin/. This rule tracks any modifications to those directories.

Triage and response

1. Identify which user or process changed the critical system binaries.
2. If these changes were not authorized, and you cannot confirm the safety of the changes, roll back the host or container in question to an acceptable configuration.

Requires Agent version 7.27 or greater