System Compromise
Detects system compromise, privilege escalation, and dangerous system modifications
56 rules in system_compromise.yml
CRITICAL: 27 | HIGH: 22 | MEDIUM: 7
| Rule ID | Severity | Title | Description | Refs |
|---|---|---|---|---|
backdoor_ | CRITICAL | Backdoor Network Listener | Opening a listening socket that spawns a shell (netcat/socat/ncat backdoor) | |
byovd_ | CRITICAL | Bring Your Own Vulnerable Driver (BYOVD) - Known-Vulnerable Kernel Driver Load / Install | A task copies, installs, or loads a known-vulnerable kernel driver via win_copy, win_service, sc create, fltmc, sysdrv, /driver_load, NtLoadDriver, or systemd modprobe: RTCore64.sys (MSI Afterburner, CVE-2019-16098), procexp152.sys (Process Explorer, PrintNightmare pivot), iqvw64e.sys (Intel, CVE-2015-2291), gdrv.sys (Gigabyte, CVE-2018-19320), dbutil_2_3.sys (Dell, CVE-2021-21551), mhyprot2.sys (Genshin anti-cheat), capcom.sys (Capcom), atillk64.sys (ATI), agent64.sys (Avast), trufos.sys (Bitdefender), asIO.sys (ASUS), viragt64.sys (OpenLibSys / OpenHardwareMonitor), kprocesshacker.sys. These signed-but-vulnerable drivers are the #1 primitive for disabling EDR/AV in 2023-2024 ransomware operations (LockBit 3.0 BYOVD disabler EDRSandBlast, TrueSightKiller, Terminator, BadMatter). Microsoft maintains a public vulnerable-driver blocklist that is NOT enabled by default on older Windows; detection here catches the deployment step. | |
cassandra_ | CRITICAL | Cassandra AllowAllAuthenticator Configured With Default cassandra/cassandra Superuser | A rendered cassandra.yaml has authenticator: AllowAllAuthenticator (no password check) OR the default cassandra/cassandra superuser credentials were not rotated while PasswordAuthenticator is enabled. Cassandra’s default install leaves AllowAllAuthenticator on port 9042 - anyone who reaches that port can DROP KEYSPACE, read any column family, and use ALTER TABLE to plant triggers. The 2023-2024 Shadowserver reports show >4000 Internet-reachable unauth Cassandra clusters from exactly this misconfig. | |
efi_ | CRITICAL | Secure Boot Disabled Or UEFI SetupMode Re-Enabled Via efivar / mokutil | A task invokes mokutil --disable-validation, writes to /sys/firmware/efi/efivars/SecureBoot-*, or runs efibootmgr with -c (create) targeting an unsigned .efi binary on a Secure-Boot-enforced system. Disabling Secure Boot from automation opens the host to bootkits (BlackLotus, CosmicStrand, MoonBounce 2024-2025 resurgence) that survive OS reinstall and evade every in-OS EDR. | |
elasticsearch_ | CRITICAL | Elasticsearch xpack.security.enabled=false With Bind On 0.0.0.0 (Unauth Data Exfil) | An Elasticsearch / OpenSearch config (elasticsearch.yml, opensearch.yml, or env-var in a Docker/K8s manifest) has xpack.security.enabled: false (or plugins.security.disabled: true for OpenSearch) AND network.host: 0.0.0.0 (or unspecified, which defaults to 0.0.0.0). This combination exposes an unauthenticated ES cluster - anyone reachable at port 9200 can read/write all indices and use scripting engines (Painless) for RCE. The 2024 Shadowserver report counts >15,000 Internet-exposed unauth ES clusters; this is the canonical ‘I just wanted to dev locally’ production leak. | |
event_ | CRITICAL | Windows Event Log Clearing | Clears Windows event logs via wevtutil cl | |
kernel_ | CRITICAL | Kernel Command Line Disables CPU Side-Channel Mitigations (nopti/nosmep/nosmap/nokaslr/mitigations=off) | A task renders a bootloader config (/etc/default/grub, /boot/loader/entries/*.conf, kernelopts tuning, cloud-init kernel_cmdline) including mitigations=off, nopti (no page-table isolation -> Meltdown), nosmep (no Supervisor Mode Execution Prevention -> kernel exec-from-userland), nosmap (no Supervisor Mode Access Prevention -> kernel read/write userland freely), nokaslr (no kernel-address randomization -> ROP gadgets at fixed offsets), nospectre_v1/nospectre_v2, noibrs/noibpb/nospec_store_bypass_disable, or spectre_v2=off. Each of these knobs re-enables a hardware-class vulnerability that has a live in-the-wild exploit (Meltdown 2018, RetBleed 2022, Downfall 2023, Reptar 2023, GhostRace 2024). mitigations=off is the master switch used by perf-focused HPC and gaming communities - also by attackers who want their shellcode to work despite hardware defenses. | |
kernel_ | CRITICAL | kernel.modules_disabled Flipped Off Then modprobe Executed (LKM Rootkit Load Primitive) | A playbook sets kernel.modules_disabled = 0 (or runs echo 0 > /proc/sys/kernel/modules_disabled) and in the same file runs modprobe <module> / insmod. On hardened hosts modules_disabled=1 is the one-way lockdown that prevents any further module loads for the lifetime of the boot - flipping it back to 0 before loading a module is a classic pre-stage for LKM rootkits (Diamorphine, Reptile, bedevil) and happens in the 2024 DragonRank / Mélofée Linux-persistence chains. | |
kexec_ | CRITICAL | kexec Used To Load Arbitrary Kernel (Boot-Chain Persistence / SecureBoot Bypass Primitive) | A task runs kexec -l <kernel>, kexec --load, or kexec_load(2) with an --initrd / --append argument - especially from a playbook that does not describe a legitimate live-kernel-patch rollout (kpatch / livepatch). kexec loads a new kernel image directly into memory and (via kexec -e) transfers control without a full BIOS/UEFI boot - this BYPASSES Secure Boot signature verification, persists across reboots as long as the kexec-loaded kernel stays resident, and leaves no trace in /boot / UEFI firmware logs. The 2024 UNC5221 / Velvet Ant Linux-persistence campaigns use kexec to swap the running kernel for an attacker-controlled variant with a rootkit pre-installed. | |
macos_ | CRITICAL | macOS Gatekeeper globally disabled (spctl –master-disable / –global-disable) | A task executes spctl --master-disable or spctl --global-disable (macOS 14+ syntax) on a macOS host. This globally disables Gatekeeper - the OS-level check that every executable is signed by an Apple-notarized developer ID. With Gatekeeper off, any unsigned or malware-signed binary runs without warning, Quarantine attributes are ignored, and the 2020+ Apple notarization chain is bypassed entirely. This is the #1 macOS post-compromise action in the 2024 Mandiant M-Trends report (North-Korean BeaverTail, Charming-Kitten, and APT38 all use it). | |
macos_ | CRITICAL | macOS System Integrity Protection (SIP) disabled via csrutil disable | A task executes csrutil disable, csrutil authenticated-root disable, or nvram boot-args="rootless=0" - disabling System Integrity Protection (SIP), the kernel-enforced protection that prevents ANY process (including root) from modifying /System, /usr (except /usr/local), /bin, /sbin, Apple-signed kexts, or the boot environment. With SIP off, rootkits can install unsigned kernel extensions, modify the dyld shared cache to inject into every process, and persist across OS upgrades. csrutil can only run from Recovery Mode - any task that attempts it from a running macOS is a (non-functional) indicator of intent; any task that reboots to Recovery and runs it is actively subverting the OS security model. | |
mokutil_ | CRITICAL | mokutil –disable-validation / sb-state Disable Or SBAT Bypass (Pre-OS Root Of Trust Broken) | A task runs mokutil --disable-validation, mokutil --sb-state off, sbctl disable-secureboot, or writes a MokList entry that enrolls an attacker-controllable key (e.g. mokutil --import /path/to/<attacker>.der). Disabling Secure Boot at the shim layer allows arbitrary unsigned EFI binaries (bootkits) to execute pre-OS with DMA-capable access to memory. The 2023 BlackLotus UEFI bootkit, 2024 CosmicStrand, and 2024 Pikabot-EFI specifically require this step as persistence. Enterprise fleets that disable Secure Boot for driver-signing workarounds (NVIDIA, VirtualBox) create the exact window attackers exploit. Distinct from BIOS-level Secure Boot settings (firmware-managed) - this catches the OS-initiated shim/MokList bypass via mokutil. | |
openssh_ | CRITICAL | OpenSSH Installed/Pinned At Version Vulnerable To regreSSHion (CVE-2024-6387) | A task installs or pins openssh-server / openssh at a version in the vulnerable range (glibc-based Linux, OpenSSH 8.5p1 through 9.7p1 inclusive, plus the reintroduced regression that affects 4.4p1 through 8.5p1 without the backported fix) AND sets LoginGraceTime to a non-zero default (120 sec), OR fails to pin >= 9.8p1. CVE-2024-6387 (Qualys, Jul 2024) is an unauthenticated race-condition -> pre-auth RCE as root on glibc Linux; every unpatched sshd listening on the internet is a one-packet takeover. The default debian/RHEL packages lagged the upstream patch by ~1-2 weeks, so version-pinned playbooks written in that window still install vulnerable sshd. | |
polkit_ | CRITICAL | polkit Rule Installed In /etc/polkit-1/rules.d With polkit.Result.YES For Any User | A task installs a *.rules file under /etc/polkit-1/rules.d/ or /usr/share/polkit-1/rules.d/ whose JavaScript body returns polkit.Result.YES for any subject/action without a proper subject check - e.g. polkit.addRule(function(action,subject){ return polkit.Result.YES; }) or if (subject.isInGroup('users')) return polkit.Result.YES. polkit rules run with full authority to grant any org.freedesktop.* authorisation to any PID that satisfies the (attacker-controlled) JS predicate - this is the persistence primitive used in Pwnkit (CVE-2021-4034) post-exploit and in 2024 Linux-ransomware persistence (Kinsing, XorDDoS) to elevate cron-scheduled tasks to root without entering a password. | |
postgres_ | CRITICAL | PostgreSQL ALTER ROLE WITH SUPERUSER (Unrestricted Cluster Takeover) | A task runs ALTER ROLE <user> WITH SUPERUSER, CREATE ROLE <user> WITH SUPERUSER, or community.postgresql.postgresql_user with role_attr_flags: SUPERUSER. A Postgres SUPERUSER bypasses ALL permission checks, can execute COPY TO PROGRAM 'shell-cmd' (RCE as the postgres UNIX user), load arbitrary C extensions, read/write any file via pg_read_server_files, and change pg_hba.conf at runtime. The rule fires even on first grant - there’s never a legitimate reason to elevate an application role to SUPERUSER in a CI/CD playbook. | |
postgres_ | CRITICAL | PostgreSQL COPY … PROGRAM Used From Playbook (RCE-As-postgres-User Primitive) | A task issues a SQL statement via community.postgresql.postgresql_query, postgresql_script, or raw psql -c containing COPY <table> FROM PROGRAM '...' / COPY <table> TO PROGRAM '...'. COPY ... PROGRAM (PG 11+) executes the argument as a shell command in the postgres OS user context - it is the documented Postgres-superuser RCE primitive. Any SQL-injection finding in an application that eventually reaches a playbook-run query becomes a trivial RCE. Even legitimate use is a red flag because it requires the pg_execute_server_program role (PG 11+) / superuser privileges, which should never be granted to an Ansible-provisioned app role. | |
postgres_ | CRITICAL | PostgreSQL CREATE EXTENSION plpython3u / plperlu / pltclu (OS Code Execution Primitive) | A task runs CREATE EXTENSION plpython3u, CREATE EXTENSION plperlu, CREATE EXTENSION pltclu, CREATE EXTENSION plsh, or community.postgresql.postgresql_ext with one of those extensions. The u (untrusted) variants run with unrestricted access to the underlying OS as the postgres UNIX user - any function defined LANGUAGE plpython3u can os.system('/bin/sh -c <cmd>'). This is the standard PG-to-RCE pivot used in every Postgres CTF and in real-world attacks post-SQLi. | |
proc_ | CRITICAL | /proc/self/mem or /proc/ | Writes to /proc/self/mem or /proc/<pid>/mem, the primitive at the heart of Dirty Pipe (CVE-2022-0847), Dirty Cred, and suid-binary overwrite chains. Legitimate Ansible automation essentially never needs dd of=/proc/*/mem. | |
redis_ | CRITICAL | Redis MODULE LOAD Of Arbitrary .so File (RCE-As-Redis-User Primitive) | A task issues redis-cli MODULE LOAD /path/to/module.so, templates a Redis config file with loadmodule /path/to/module.so, or uses community.general.redis to run a MODULE LOAD command. Redis modules are C shared objects loaded into the redis-server process address-space with no sandbox - MODULE LOAD is effectively dlopen() as the redis user. Attacker-controlled .so paths (or attacker-controlled Redis configs pointing at a writable tmp-dir module) are one of the most common unauthenticated-Redis -> RCE chains exploited by 2024 H2Miner / Kinsing / Muhstik cryptomining botnets. | |
root_ | CRITICAL | Root SSH Key Modification | Task targets /root/.ssh/authorized_keys directly. Modifying root’s authorized_keys plants persistent root SSH access on the host. | |
runc_ | CRITICAL | runc Installed/Pinned At Version Vulnerable To Leaky Vessels (CVE-2024-21626) | A task installs or pins runc / containerd.io / docker-ce at a version known vulnerable to CVE-2024-21626 (Leaky Vessels, Snyk Jan 2024) - specifically runc < 1.1.12, containerd < 1.6.28/< 1.7.13, Docker < 25.0.2. Leaky Vessels is a file-descriptor leak in runc run/exec that allows a malicious container image or a crafted WORKDIR/--workdir argument to escape the container and read/write the host filesystem - a full container-escape achievable with standard, non-privileged image pulls (no CAP_SYS_ADMIN required). In 2024-2025 this remains the most-exploited container-escape CVE per the Sysdig Threat Report. | |
setuid_ | CRITICAL | SetUID Binary Creation (System Compromise Surface) | chmod sets the setuid bit (4xxx mask or u+s). New setuid binaries are a textbook persistence/privesc primitive on Linux. | |
shadow_ | CRITICAL | Shadow File Access | /etc/shadow or /etc/gshadow is referenced in a task. Reading either requires root and is the shape used to stage offline password cracking. | |
userfaultfd_ | CRITICAL | userfaultfd Syscall Enabled for Unprivileged Users (Kernel Exploit Primitive) | Enables userfaultfd(2) for unprivileged users by writing 1 to /proc/sys/vm/unprivileged_userfaultfd or removing the sysctl hardening. userfaultfd is a documented exploitation primitive used in Dirty Pipe, Dirty Cred, and numerous io_uring / tmpfs races because it lets an attacker stall a kernel page-fault handler at an attacker-controlled address - turning many race-condition bugs into reliable privilege escalation. | |
web_ | CRITICAL | Web Shell Drop to Webroot | Writing executable scripts with shell-exec primitives into a webroot directory | |
windows_ | CRITICAL | Windows Defender Configuration Tampering | Uses Set-MpPreference to disable real-time protection / cloud protection / script scanning, Add-MpPreference to add broad exclusion paths (C:, %TEMP%, %APPDATA%), or modifies the DisableAntiSpyware registry key. These are direct defense-evasion primitives - an attacker disables EDR so subsequent tooling runs without alerts. | |
windows_ | CRITICAL | Windows Shadow Copy / Backup Deletion | Deletes Volume Shadow Copies or Windows Server Backup catalogs via vssadmin delete shadows, wbadmin delete catalog|backup, wmic shadowcopy delete, or PowerShell Remove-WmiObject Win32_ShadowCopy / Get-WmiObject … | Remove-WmiObject. This is a near-universal ransomware precursor that prevents rollback. | |
auditctl_ | HIGH | auditctl -f 0 Sets Audit Failure Mode To Silent (Buffer-Overflow Loss) | A task runs auditctl -f 0 (or renders -f 0 into /etc/audit/audit.rules), which sets the audit subsystem’s failure mode to silent - when the audit buffer fills (DoS from an attacker creating thousands of events), further events are DISCARDED without panic or log entry. Production baselines require -f 1 (printk warning) or -f 2 (kernel panic) so an overflow cannot be exploited as an anti-forensic primitive. RHEL / CIS L2 / DISA STIG all require -f 2 on regulated workloads. | |
auditd_ | HIGH | auditctl -D Flushes All Audit Rules (Blind-The-EDR Primitive) | A task runs auditctl -D - which DELETES every loaded audit rule in-place without rewriting /etc/audit/rules.d/* - leaving the kernel audit subsystem running but with zero match rules. All syscalls, file watches, and exec events stop generating audit records until a reload. This is the canonical quiet-the-EDR step used by TeamTNT, Kinsing, Perfctl, and the 2024 SandStrike Linux implant - distinct from auditctl -e 0 (which disables audit entirely) because the audit service appears healthy in systemctl status auditd and service auditd status, while producing zero events. The existing audit_disable rule only catches -e 0; this one catches the silent-flush variant. | |
clickhouse_ | HIGH | ClickHouse User With access_management=1 (Privilege-Granting Backdoor) | A ClickHouse users.xml / SQL-based access config has <access_management>1</access_management> (or access_management=1) on a non-admin user. This gives the user the ability to CREATE/DROP/GRANT any role or user in the cluster - a full administrative escalation path. Combined with default ClickHouse installs that leave the default user unauthenticated on 9000/tcp, this is a common finding in the 2024 Censys report on exposed ClickHouse. | |
crontab_ | HIGH | Crontab Modification | crontab -e/-u, /etc/cron*, or /var/spool/cron is being edited. Cron units are a classic persistence mechanism that survives reboot and runs as the cron user. | |
dll_ | HIGH | DLL Search-Order / Side-Loading Hijack - DLL Dropped Into System32 Or Program Files App Directory | A task writes / copies a .dll or .ocx file via win_copy, win_file, copy, fetch, or ansible.windows.win_copy to a Windows DLL search-order location: C:\Windows\System32\, C:\Windows\SysWOW64\, C:\Windows\ (root), the current directory of a running service (C:\Program Files\<vendor>\<app>\), or user profile directories where trusted apps search (%AppData%\Microsoft\Office\, %LocalAppData%\Microsoft\Teams\current\, %ProgramData%\Microsoft\Windows\Start Menu\). Windows’ DLL search order (Known DLLs -> System -> 16-bit System -> Windows -> Current -> PATH) is well-documented; an attacker drops a DLL with a name the target application LoadLibrary’s without a full path (e.g. version.dll, wininet.dll, secur32.dll, propsys.dll, oci.dll) and the app loads the attacker’s copy on next startup - executing attacker code with the APP’s privileges. MITRE T1574.001. Sysinternals ‘Process Monitor’ filtered on NAME NOT FOUND on .dll loads still shows dozens of hijackable locations on every fresh Windows install in 2024. | |
file_ | HIGH | Dangerous File Permissions (777) | chmod 777 is applied to a file, leaving it world-writable. Any local user can replace the contents, defeating any integrity assumption that depended on the path. | |
firewall_ | HIGH | Firewall Rule Modification | iptables / ufw / firewall-cmd is invoked with disable, flush, or delete. The shape erases network controls and is often the first move before a noisier attack stage. | |
grub2_ | HIGH | GRUB2 Superuser/Password Missing With Custom Or Rescue Kernel Entry Defined | A task renders /etc/grub.d/40_custom / /etc/grub.d/41_custom (custom GRUB entries) OR defines a rescue kernel entry in /boot/grub2/user.cfg WITHOUT also setting set superusers="..." + password_pbkdf2 <user> grub.pbkdf2.sha512.10000..... Without a GRUB password, anyone with physical access (or a KVM / iLO / DRAC console) can boot the kernel with init=/bin/bash for an unauthenticated root shell - bypassing disk encryption unlock prompts that rely on the boot chain having been tamper-protected. CIS L1 for every Linux benchmark requires GRUB password protection. The custom-entry variant is specifically dangerous because custom entries often omit ${CLASS} -> inherit no password restriction even if the default entry has one. | |
grub_ | HIGH | GRUB Password Set Inline From Playbook Or Boot Menu Unlocked | A task renders /etc/grub.d/40_custom / /etc/default/grub with set superusers="" (empty), --unrestricted on a menu entry, or a grub.pbkdf2.sha512 hash set from an inline variable. Empty superusers disable boot-menu authentication entirely (allowing init=/bin/bash single-user escalation at the console). Inline-provisioned GRUB password hashes end up in Git/CI logs, defeating the control they’re meant to enforce. | |
io_ | HIGH | io_uring Runtime Enabled On Host Without Seccomp/AppArmor Filter | A task sets kernel.io_uring_disabled = 0 in sysctl, loads the io_uring module via modprobe, or renders a Docker/Kubernetes config with io_uring explicitly enabled in the seccomp profile ("defaultAction": "SCMP_ACT_ALLOW" for io_uring_* syscalls). io_uring is the Linux kernel’s async-IO subsystem - since 5.1 it has accumulated >30 CVEs (CVE-2024-0582, CVE-2024-1086, CVE-2023-6932, CVE-2022-1015) most of which are unauthenticated container-to-kernel LPE. Critically, io_uring operations BYPASS most eBPF-based runtime detection (Falco, Tetragon) because syscalls are issued via a shared ring buffer, not through sys_enter_*. Google (2023), DigitalOcean (2024), and ChromeOS (2024) all disabled io_uring host-wide citing this tradeoff. | |
journald_ | HIGH | systemd-journald Storage=none Or =volatile (Log Persistence Eliminated) | A task renders /etc/systemd/journald.conf (or a journald.conf.d/*.conf drop-in) with Storage=none (no journal written anywhere, events only in-memory with runtime view) or Storage=volatile (in-memory tmpfs under /run/log/journal, wiped on reboot). On a system without rsyslog/syslog-ng catching the journal, this eliminates all post-reboot forensic evidence of intrusion. Distinct from the existing rsyslog_or_journald_stopped_masked rule which catches the service-stop variant - this one catches the Storage= setting which silently disables persistence while the service appears fully running. | |
kernel_ | HIGH | fs.protected_symlinks Or fs.protected_hardlinks Disabled (TOCTOU / symlink-race Primitive) | A task sets fs.protected_symlinks = 0 or fs.protected_hardlinks = 0. These sysctls (enabled by default on every mainstream distro since 2013) block the canonical /tmp symlink-race / TOCTOU pattern: a sticky-bit directory with a writable file owned by another user is dereferenced by a privileged process that follows a symlink implanted by an attacker. Disabling them reintroduces a 20-year-old exploitation class used by tmpwatch, logrotate, and any CI runner that writes into /tmp//var/tmp. The 2024 cron + inotifywait privesc PoC specifically requires one of these to be 0. | |
kernel_ | HIGH | Kernel Module Loading (Ring-0 Code Execution Surface) | insmod / modprobe / rmmod is invoked. Kernel modules run with full ring-0 privilege; loading an unverified module is equivalent to root code execution in the kernel. | |
kernel_ | HIGH | kernel.perf_event_paranoid Lowered Or kernel.unprivileged_bpf_disabled=0 (Userland Tracing / BPF Primitive) | A task sets kernel.perf_event_paranoid to -1, 0, or 1 (default is 2 on Debian/Ubuntu/RHEL 9+, 3 on hardened kernels) OR sets kernel.unprivileged_bpf_disabled to 0 (default 1/2). Lowered perf_event_paranoid permits unprivileged users to run perf record / perf trace on arbitrary processes - enabling syscall tracing, stack unwinding, and TSC-skew side-channel attacks (used in 2024 RetBleed and Downfall exploit chains). Setting unprivileged_bpf_disabled=0 permits unprivileged BPF program loading - the exact primitive used in CVE-2022-23222 (BPF pointer arithmetic escape), CVE-2023-2163 (BPF verifier bypass), and the 2024 BPFDoor variants. Red Hat’s 2024 hardening guide for RHEL 9 explicitly requires perf_event_paranoid >= 2 and unprivileged_bpf_disabled = 1. | |
kernel_ | HIGH | kernel.unprivileged_userns_clone Set To 1 (User-Namespace Escape Primitive) | A task sets kernel.unprivileged_userns_clone = 1 or user.max_user_namespaces to a non-zero value on a Debian/Ubuntu/RHEL fleet where the distro default disables unprivileged userns. Unprivileged user-namespaces are the prerequisite for the 2024 CVE-2024-1086 nft_verdict_init UAF (Pwn2Own Toronto -> root), CVE-2024-26808 netfilter-userns, and every runc / containerd escape since 2019. Systems that don’t run rootless containers (Podman, Bubblewrap, Flatpak) have zero operational need to enable it. | |
kernel_ | HIGH | kernel.yama.ptrace_scope Set To 0 (Cross-Process Memory Read Enabled) | A task sets kernel.yama.ptrace_scope = 0 in sysctl / sysctl.d / /proc, which DISABLES the YAMA LSM’s ptrace restriction and allows ANY process owned by a user to PTRACE_ATTACH ANY other process of the same user - including gpg-agent, ssh-agent, browsers holding session cookies, 1Password CLI, and keyring daemons. Default since Ubuntu 10.10, Fedora, RHEL 8+ is 1 (child-only). Dropping to 0 is the exact post-exploitation step used by Pegasus/Predator droppers, APT41, and the 2024 xz backdoor research to dump credential caches from long-lived session agents without root. No legitimate production workload needs scope=0. | |
lsm_ | HIGH | SELinux setenforce 0 / AppArmor aa-complain Applied At Runtime (LSM Downgrade) | A task runs setenforce 0 (SELinux runtime -> permissive), setsebool with -N on a security-critical boolean, aa-complain /etc/apparmor.d/usr.sbin.*, aa-disable, or apparmor_parser -R on a loaded profile. Distinct from the existing selinux_disabled rule (which catches /etc/selinux/config SELINUX=disabled requiring reboot) - this catches the runtime downgrade that persists until next boot WITHOUT changing any on-disk config, making it a stealth primitive. Used in Sandfly Security’s 2024 Linux-rootkit research as the step between ‘got shell’ and ‘drop kernel module’. | |
mysql_ | HIGH | MySQL GRANT FILE Privilege (Arbitrary File Read/Write Primitive) | A task runs GRANT FILE ON *.* TO '<user>'@'%' (or community.mysql.mysql_user with priv: '*.*:FILE'). The FILE privilege lets the grantee use SELECT ... INTO OUTFILE, LOAD DATA INFILE, and LOAD_FILE() - giving arbitrary file read/write as the mysqld process user across any path mysqld has filesystem access to. This is THE classic MySQL privesc-to-RCE primitive: read /etc/shadow, write a webshell into the document root, or plant a UDF library in the plugin dir (plugin_dir) to load as CREATE FUNCTION ... SONAME. | |
privilege_ | HIGH | Privilege Escalation via Sudo | Task attempts to escalate privileges using sudo with user input | |
ssh_ | HIGH | ssh-keygen Generates Privileged Key With Empty Passphrase | A task runs ssh-keygen with -N '' (empty passphrase) AND a destination under /root/.ssh/, /home/root/.ssh/, or a system-account home (-f /etc/..., -f /var/...). An at-rest passphraseless private key for a privileged account becomes a one-shot lateral-movement primitive: any host-level read (backup theft, container layer leak, snapshot mount, or a follow-on file-disclosure CVE) yields a usable login credential against every host the corresponding public key has been distributed to. Server host keys (which need to be passphraseless to start sshd unattended) are covered by the existing weak-hostkey rule and explicitly excluded here. | |
sshd_ | HIGH | SSH HostKey Generated As DSA Or RSA < 2048 Bits (Weak Server Identity) | A task runs ssh-keygen -t dsa (DSA is deprecated since 2015, removed from OpenSSH 9.8 in 2024), ssh-keygen -t rsa -b 1024 / -b 1536 (below NIST SP 800-131A minimum 2048), or writes a HostKey directive in sshd_config pointing at such a key. A weak host key lets an on-path attacker (with months of quantum-adversary compute, or in-the-wild today for RSA-1024 via dedicated hardware) forge the server’s identity, defeating SSH’s primary integrity guarantee. Distinct from sshd_password_authentication_enabled (user-authN) - this catches the server-identity weakness which affects EVERY session regardless of auth method. | |
systemd_ | HIGH | systemd Timer + Service Unit Dropped With Suspicious ExecStart Or World-Writable Path | A task creates a paired .timer + .service unit under /etc/systemd/system/ or ~/.config/systemd/user/ whose ExecStart= references a world-writable directory (/tmp, /var/tmp, /dev/shm), a base64 payload (bash -c 'echo <b64> | base64 -d | bash'), or a script downloaded inline with curl | bash. systemd timers are the Linux equivalent of scheduled tasks and the #1 persistence primitive in 2024-2025 Linux intrusion reports (MITRE T1053.006). | |
firmware_ | MEDIUM | fwupd / UEFI Capsule Update Service Disabled Or Masked (Firmware Patching Blocked) | A task runs systemctl mask fwupd / systemctl disable --now fwupd, sets DisabledPlugins=* or UpdateMotd=false + EnableUefiCapsuleUpdates=false in /etc/fwupd/fwupd.conf, or removes the fwupd-refresh.timer. fwupd is the Linux mechanism that applies UEFI/BIOS/microcode capsule updates published via LVFS (Linux Vendor Firmware Service) - disabling it blocks every CPU microcode patch (including post-discovery Spectre/Meltdown/Retbleed/Inception/Downfall/Reptar class fixes) AND every UEFI firmware patch (BlackLotus, MoonBounce, CosmicStrand mitigations). Distinct from generic unattended-upgrades - this is the specific firmware-layer patching channel. | |
journald_ | MEDIUM | systemd-journald RateLimitBurst=0 With Short Interval (Event Dropping Primitive) | A task renders /etc/systemd/journald.conf with RateLimitBurst=0 combined with a non-zero RateLimitIntervalSec - which in systemd ≥ 240 is the documented way to DISABLE rate-limiting but in older systemd (≤ 239) is the pathological config that rate-limits every message to zero within the interval (i.e. total silencing). More commonly: RateLimitBurst=1 + RateLimitIntervalSec=1h silences the log file after one event per hour - a plausible-looking config that destroys forensic timelines. Any explicit rate-limit config on a host with CIS-L2 baseline is suspect because CIS requires rate-limit=off. | |
kernel_ | MEDIUM | kernel.dmesg_restrict Set To 0 (Kernel Log Readable By Unprivileged Users) | A task sets kernel.dmesg_restrict = 0, which allows any unprivileged user to read /dev/kmsg and dmesg(1) output. Kernel logs routinely contain driver addresses, %p pointer leaks, oopses with RIP/RSP values, crypto key fingerprints, and disk layout - all of which defeat KASLR and are the direct information-leak primitive exploited in the 2024 cachewarp / retbleed / Inception PoCs. RHEL 7+, Ubuntu 22.04+, Debian 12+ all default to 1. Dropping to 0 has no legitimate operational benefit - use journalctl -k with adm-group membership for ops staff. | |
kernel_ | MEDIUM | kernel.kptr_restrict Set To 0 (Kernel Pointer Leak, KASLR Defeated) | A task sets kernel.kptr_restrict = 0, which causes %pK printk format specifiers to leak raw kernel pointers via /proc/kallsyms, /proc/modules, /proc/net/*, /sys/kernel/* - readable by any user. Raw pointers immediately defeat Kernel ASLR and convert otherwise-unreliable 1-byte-OOB-write bugs into deterministic LPE. Mainline default is 2 (never show pointers to anyone). Debian/Ubuntu default is 1 (admin-only). | |
kernel_ | MEDIUM | net.ipv4.conf.all.rp_filter Set To 0 (Reverse-Path Filtering Disabled, IP Spoofing Enabler) | A task sets net.ipv4.conf.all.rp_filter = 0 (or default.rp_filter = 0), which disables the kernel’s reverse-path source-address validation. This allows the host to both accept spoofed inbound packets (e.g. pretend-to-be-loopback packets from the wire) AND forward locally-spoofed egress packets - the exact primitives used in DNS-cache-poisoning side-channels (SADDNS / CVE-2020-25705), cross-cluster pod spoofing on flat CNI networks, and kube-apiserver impersonation when combined with API-server trust of X-Forwarded-For. Mainline default is 2 (loose) on most distros, 1 on systemd-networkd - 0 is always a regression. | |
system_ | MEDIUM | System Service Manipulation | systemctl start/stop/enable/disable/mask receives a {{ … }} expression as its unit name. User-controlled unit names allow attackers to disable security services or enable rogue ones. | |
user_ | MEDIUM | User Account Creation with Privileges | useradd -G or usermod -aG adds an account into sudo/wheel/admin. New administrative accounts are a textbook persistence mechanism. |