The self-protection triggers detect commands or file changes with the potential to interfere with the Cmd agent. When we import these triggers to customer systems they come complete with queries, and include a ‘create notice’ action. It’s up to you to configure any additional actions that would support your security plan, such as by stopping the command, requiring authorization, or creating a higher-priority alert.

The triggers vary in the likelihood of their firing due to normal, authorized server operations. They may also fire due to non-standard software installed on a server, so we recommend testing thoroughly before implementing restrictive trigger actions. The default ‘create notice’ actions provide accessible data about how the triggers interact with your systems.

Built-in agent protection: 

Regardless of trigger configuration, the agent ensures that $LD_PRELOAD continues to be set correctly, and prevents certain Linux signals which could interfere with the agent.

Agent self-protection triggers

1. Loader Protection

Type: File

CQL Query:
‘file_name’ IN '/etc/ld.so.cache,/etc/ld.so.conf,/etc/ld.so.conf.d/libc.conf,/etc/ld.so.conf.d/x86_64-linux-gnu.conf'

Purpose: Detect attempts to modify common configuration files which Cmd alters during installation (other programs use these too).

 

2. IPC Namespace Protection

Type: Command

CQL Query: ‘cmd_root’ = 'unshare' AND cmd_parameters = '*i*'

Purpose: Detects a command with the potential to bypass the Cmd agent for the remainder of an ongoing session.
 


3. Stop Cmd Service Disabling

Type: Command

CQL Query:
( cmd_parameters = '*cmd*' AND ( cmd_parameters = '*stop*' OR cmd_parameters = '*restart*' OR cmd_parameters = '*disable*' OR cmd_parameters = '*off*' ) AND ( cmd_root = 'systemctl' OR cmd_root = 'initctl' OR cmd_root = 'service' OR cmd_root = 'chkconfig' ) )

Purpose: Detect attempts by someone with root privileges to disable the Cmd agent, or to stop it from starting again after the server restarts.
 


4. Block Removal of Systemd Symlinks

Type: File

CQL Query: file_name = '/etc/systemd/system/multi-user.target.wants/cmd.service'

Purpose: Detect attempts to modify a Cmd symlink, which could stop Cmd from starting after a server restart.
 


5. Block Overriding of Systemd Start for Cmd

Type: File

CQL Query: file_name = '/etc/systemd/system/cmd.service.d/override.conf'

Purpose: Detect attempts to disable the Cmd service.
 


6. Protect Cmd Install Files

Type: File

CQL Query: 

file_name = '/etc/cmd/*' OR file_name = '/var/lib/cmd/*' OR file_name = '/var/run/cmd/*' OR file_name = '/etc/init/cmd/*' OR file_name = '/etc/systemd/system/cmd.service*' OR file_name = '/lib/x86_64-linux-gnu/libinjector.so' OR file_name = '/lib/x86_64-linux-gnu/security/pam_cmd.so'

Purpose: Detect attempts to modify binaries that Cmd creates when installed. We recommend configuring this trigger to have (at minimum) a “create alert” action, since there aren’t many excellent reasons to allow the modification of security software binaries on your production servers.
 

 
To import these triggers in bulk:

Contact us.

 


Additional Resources:

An overview of Cmd triggers

Understanding CQL values

Did this answer your question?