Skip to content

Event: filesystem_fingerprint

Quick Explanation

The filesystem_fingerprint recipe detects access to files that contain detailed system information. These attempts can range from benign tasks to preparatory steps for malicious actions like data exfiltration. When detected during CI/CD pipeline execution, it raises concerns about unnecessary access to low-level system information, potentially introducing security vulnerabilities.

More Information

Information

  1. Description: Filesystem fingerprint
  2. Category: Discovery
  3. Method: System Information Discovery
  4. Importance: Low

Analysis of the Event

The filesystem_fingerprint detection event is triggered when specific system files related to disk and filesystem configurations are accessed in a manner suggesting an attempt to gather detailed system information. According to the MITRE ATT&CK framework, this activity falls under the Discovery category, specifically System Information Discovery (T1082). The intention behind accessing these files can range from routine system management tasks to preparatory steps for more invasive actions by an adversary, such as data exfiltration or privilege escalation.

The files targeted in this detection (/etc/fstab, /proc/diskstats, /proc/filesystems, etc.) are crucial for understanding the layout and usage of filesystems and storage on a Linux system. Accessing these files can reveal information about storage devices, partition configurations, and mounted filesystems, which could be used to tailor further attacks or evade defenses based on system configuration.

Implications for the CI/CD Pipeline

Detecting such an event during a CI/CD pipeline execution raises concerns about why build processes require access to low-level system information, which is generally unnecessary for most build and test operations. If left unaddressed and merged into production code, it could indicate potential security flaws or vulnerabilities being introduced into the environment. This could lead to unauthorized disclosure of sensitive information about server configurations in a production environment, potentially aiding attackers in crafting targeted attacks.

To mitigate risks associated with this detected event:

  1. Review Recent Code Changes: Examine pull requests and code commits that were part of the pipeline run when this detection occurred. Look specifically for new scripts or modified code that accesses the mentioned system files.
  2. Validate Necessity and Intent: Determine whether access to these specific files is justified within the application's functionality. Consult with development teams if necessary to understand the context of these operations.
  3. Implement Safeguards: If file access is legitimate but sensitive:
  4. Restrict file access permissions to only those processes that absolutely need it.
  5. Monitor access patterns using security tools like Jibril and set up alerts for unusual access patterns.
  6. Enhance Monitoring: Increase logging around access to sensitive files during both development and production phases. Use these logs to detect anomalous behavior early.
  7. Educate Developers: Provide training on secure coding practices and raise awareness about potential security risks associated with unnecessary file access within applications.
  8. Update Security Policies: Amend existing security policies within your CI/CD pipeline to include checks against unnecessary or high-risk accesses as part of your regular security audits.

By following these steps, you can help ensure that your infrastructure remains secure against attempts to exploit system information both during development and after deployment into production environments.