System Hardening Monitor

This option group section detects changes to the user-configurable files that are considered sensitive in maintaining the security posture of the operating system. It detects modifications of the system configuration that change whether it automatically runs code during system startup. This behavior is normal if an administrator needs to change autorun behavior. If unexpected, it can indicate that the system is being prepared to operate outside established security policy, or that it is about to be compromised.
Various areas are monitored to generate events for the administrator if either of the following entities changed any of the selected values:
  • Malware
  • A malicious individual attempting to lower the security posture of the host system
Description of the
Daemon Run Level RC.D Monitor
parameters used
Parameter
Description
Option Path
System Hardening Monitor > System Auto Start Change Options
Option
Daemon Run Level RC.D Monitor
Rule Name
AutoStart_RC.D_Monitor
Severity
Warning
File Paths
/etc/rc.*
/etc/rc.d/*
/etc/init.d/*
Additional Settings
You can also monitor the following events:
  • Monitor Value Addition to Run Level Files
  • Monitor Value Removal to Run Level Files
  • Monitor File Modification
  • Monitor File Creation
  • Monitor File Removal
Description
Detects changes to the daemon rc files on the device.
Description of the
System Run Level INITTAB Monitor
parameters used
Parameter
Description
Option Path
System Hardening Monitor > System Auto Start Change Options
Option
System Run Level INITTAB Monitor
Rule Name
AutoStart_Inittab_Monitor
Severity
Warning
File Paths
/etc/inittab
Additional Settings
You can also monitor the following events:
  • Monitor Value Additions to the Inittab File
  • Monitor Value Removal to the Inittab File
  • Monitor File Modification
  • Monitor File Creation
  • Monitor File Removal
Description
Detects changes to the inittab file on the device.