Kernel Modification

Classification:

compliance

Framework:

Control:

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Overview

Goal

Detect modifications made to the /boot/ directory.

Strategy

The /boot/ directory in Linux contains everything required for the system to boot. This includes the kernel and other important boot files and data. Attackers may attempt to modify the /boot/ directory to inject malicious code or configuration. This can allow the attacker to gain persistence, by running the malicious code or configuration at boot time. It can also allow the attacker to run malicious code with elevated system privileges.

Triage & Response

Check to see what modifications were made to the /boot/ directory.
Cross-check any changes with known system activity, such as startup scripts, or maintenance.
If these changes are not acceptable, roll back the host or container in question to a known good /boot/ configuration.

このページ