Title

A root kit check tool must be run on the system at least weekly. (Cat II impact)

Discussion

Root kits are software packages designed to conceal the compromise of a system from the SA. Root kit checking tools examine a system for evidence of an installed root kit. Dedicated root kit detection software or root kit detection capabilities included in anti-virus packages may be used to satisfy this requirement.

Check Content

Ask the SA if a root kit check tool is installed on the system and run weekly. Verify this is the case by checking software inventory and automated job-scheduling tools, such as cron. Some root kit check tools may run from read-only alternate boot media, requiring several reboots of the system. If a root kit check tool not requiring a system reboot is not run at least weekly, either via manual or automated means, this is a finding. If a root kit check tool requiring a system reboot is not run at regular intervals less frequent than weekly, but at least every 30 days, this is a finding.

Fix Text

Create an automated job or establish a site-defined procedure to check the system weekly with a root kit check tool.

Additional Identifiers

Rule ID: SV-38398r1_rule

Vulnerability ID: V-22575

Group Title: GEN008380

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.