The system must verify and log changes in the integrity of critical system files.
CAPEC-13: Subverting Environment Variable Values. The attacker directly or indirectly modifies environment variables used by or controlling the target software.
CAPEC-23: File Content Injection. An attack of this type exploits the host’s trust in executing remote content, including binary files. The files are poisoned with a malicious payload (targeting the file systems accessible by the target software) by the adversary and may be passed through standard channels such as via email, and standard web content like PDF and multimedia files.
CAPEC-35: Leverage Executable Code in Non-Executable Files. An attack of this type exploits a system’s trust in configuration and resource files. When the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g., application server) to execute based on the malicious configuration parameters.
CAPEC-38: Leveraging/Manipulating Configuration File Search Paths. This pattern of attack sees an adversary load a malicious resource into a program’s standard path so that when a known command is executed then the system instead executes the malicious component. The adversary can either modify the search path a program uses, like a PATH variable or classpath, or they can manipulate resources on the path to point to their malicious components.
CAPEC-154: Resource Location Spoofing. An adversary deceives an application or user and convinces them to request a resource from an unintended location. By spoofing the location, the adversary can cause an alternate resource to be used, often one that the adversary controls and can be used to help them achieve their malicious goals.
CAPEC-176: Configuration/Environment Manipulation. An attacker manipulates files or settings external to a target application which affect the behavior of that application.
CIS Controls. 5.3 Securely Store Master Images. Store the master images and templates on securely configured servers, validated with integrity monitoring tools, to ensure that only authorized changes to the images are possible.
CWE-778: Insufficient Logging. When a security-critical event occurs, the software either does not record the event or omits important details about the event when logging it.
OWASP-ASVS v4.0.1 V14.1 Build.(14.1.5) Verify that authorized administrators can verify the integrity of all security-relevant configurations to detect tampering.
PCI DSS v3.2.1 - Requirement 10.2.2 Implement automated audit trails for all system components to reconstruct all actions taken by any individual with root or administrative privileges.
PCI DSS v3.2.1 - Requirement 10.2.6 Implement automated audit trails for all system components to reconstruct creation and deletion of system-level objects.
PCI DSS v3.2.1 - Requirement 10.4.2 Time data is protected.
PCI DSS v3.2.1 - Requirement 10.5.5 Use file-integrity monitoring or change-detection software on logs to ensure that existing log data cannot be changed without generating alerts.