-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathSCA
24 lines (22 loc) · 935 Bytes
/
SCA
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
policy:
id: "chaos_malware_check"
file: "chaos_malware_check.yml"
name: "Chaos malware check"
description: "Checking Chaos malware infection on Linux agent."
requirements:
title: "Checking Chaos malware infection on Ubuntu agent."
description: "Check that system is Linux based."
condition: any
rules:
- 'f:/etc/passwd'
checks:
- id: 10001
title: "Check for Chaos malware activities in the \"/etc/\", \"/boot/\" directory"
description: "Check for Chaos malware artifacts on Linux systems."
condition: none
rules:
- 'c:find /boot/ -name "System.img.config" -> r:/boot/System.img.config$'
- 'c:find /etc/ -name "32678" -> r:/etc/32678$'
- 'c:find /etc/init.d/ -name "linux_kill" -> r:/etc/init.d/linux_kill$'
- 'c:find /etc/ -name "id.services.conf" -> r:/etc/id.services.conf$'
- 'c:find /etc/profile.d/ -name "bash_config.sh" -> r:/etc/profile.d/bash_config.sh$'