Nsswitch Configuration Modified
Incident Management is now generally available! Incident Management is now generally available!
<  Back to rules search

Nsswitch Configuration Modified

Classification:

compliance

Framework:

Control:

Overview

Goal

Detect modifications to nsswitch.conf.

Strategy

The Name Service Switch (nsswitch) configuration file is used to point system services and other applications to the sources of name-service information. This name-service information includes where the password file is stored, publickey information, and more. An attacker may attempt to modify nsswitch.conf in order to inject attacker-owned information into the authentication process. For instance, the attacker could point to a malicious password file and then login to privileged user accounts.

Triage & Response

  1. Check to see what changes were made to nsswitch.conf.
  2. Check if critical name-service sources were changed, and whether the changes were a part of known system-setup or maintenance.
  3. If these changes are unauthorized, roll back the host in question to a known good nsswitch.conf, or replace the system with a known-good system image.