Permissions were changed on sensitive Linux files
Incident Management is now generally available! Incident Management is now generally available!
<  Back to rules search

Permissions were changed on sensitive Linux files

Classification:

compliance

Framework:

Control:

Overview

Goal

To access protected files and directories, attackers may attempt to change the permissions on these files and directories.

Strategy

This detection monitors the permissions changes to sensitive files and directories such as /etc/ and /sbin/.

Triage & Response

  1. Check to see if the file or directory was made more permissive.
  2. Check which user or process made the change.
  3. If these changes are unexpected, contain the host or container and roll back to the last known good configuration.