Kernel Modification
Incident Management が一般に使用できるようになりました。 Incident Management が広範に使用できるようになりました。
<  Back to rules search

Kernel Modification

Classification:

compliance

Framework:

Control:

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Overview

Goal

Detect modifications made to the /boot/ directory.

Strategy

The /boot/ directory in Linux contains everything required for the system to boot. This includes the kernel and other important boot files and data. Attackers may attempt to modify the /boot/ directory to inject malicious code or configuration. This can allow the attacker to gain persistence, by running the malicious code or configuration at boot time. It can also allow the attacker to run malicious code with elevated system privileges.

Triage & Response

  1. Check to see what modifications were made to the /boot/ directory.
  2. Cross-check any changes with known system activity, such as startup scripts, or maintenance.
  3. If these changes are not acceptable, roll back the host or container in question to a known good /boot/ configuration.