ITM is an open framework - Submit your contributions now.

Insider Threat Matrix™

  • ID: IF014.006
  • Created: 20th June 2024
  • Updated: 27th July 2024
  • Contributor: The ITM Team

Deletion of Other IT Resources

The subject deletes IT resources resulting in harm to the organization. Examples include virtual machines, virtual disk images, user accounts, and DNS records.

Prevention

ID Name Description
PV002Restrict Access to Administrative Privileges

The Principle of Least Privilege should be enforced, and period reviews of permissions conducted to ensure that accounts have the minimum level of access required to complete duties as per their role.

Detection

ID Name Description
DT037auditd File Access

Audit Daemon (auditd) is a powerful tool in Linux for tracking and logging system events, including file access. It’s part of the Linux Auditing System, which provides detailed and customizable logging of various types of system activity.

 

Below is an example auditd rule to detect file access:

 

sudo nano /etc/audit/rules.d/audit.rules
Opens the auditd rules file with the Nano editor. Add the following line:

-w /path/to/directory -p war -k file_access

-w specifies the file or directory to monitor

-p specifies the permissions to monitor (write, attribute change, read)

-k specifies the key to help identify the rule

 

To review audit logs related to this rule, we can use ausearch (ausearch -k file_access) or read and retrieve lines from the raw audit logs with grep (sudo grep file_access /var/log/audit/audit.log).