System authentication files modified
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。
Goal
Detect modifications to pam.d directory.
Strategy
Linux Pluggable Authentication Modules (PAM) provide authentication for applications and services. Authentication modules in the PAM system are setup and configured under the /etc/pam.d/ directory. An attacker may attempt to modify or add an authentication module in PAM in order to bypass the authentication process, or reveal system credentials.
Triage and response
- Identify if the changes to the path
{{@file.path}} were part of known system setup or mainenance. - If these changes were unauthorized, roll back the host in question to a known good PAM configuration, or replace the system with a known-good system image.
Required agent version 7.27 or higher
