Preparation for Attack
Preparation for Attack (Unix/Linux)
The following out-of-the-box alert rules are assigned to the (Unix/Linux) Category: PREPARATION FOR ATTACK.
|
ALERT RULE |
Description |
|---|---|
| Building a software package on production servers |
An alert is triggered upon running build commands using GCC/GMAKE on servers in the Production environment, which might indicate an intent for attack. |
| Changing root password by regular user |
An alert is triggered upon trying to change the root password by a regular user using the PASSWD command. |
| Changing root password by root user |
An alert is triggered upon trying to change the root password by a root user using the PASSWD command. |
| Searching files with advanced permissions |
An alert is triggered upon searching (using the FIND command) files with advanced permissions such as sticky bits, SUID, and GUID. |
| Searching for directories with WRITE or EXECUTE permissions |
An alert is triggered upon searching (using the FIND command) directories with WRITE and EXECUTE permissions, to potentially copy to them malicious utilities and then execute them. |
| Searching for installed network tools |
An alert is triggered upon searching (using the FIND command) utilities that can be used to download content from remote networks. |
| Searching for programming languages |
An alert is triggered upon searching (using the FIND command) for programming languages such as C/Perl/Python/Java that are already installed on the machine. |
| Viewing scheduled cron job tasks |
An alert is triggered upon trying to view cron configuration files. |