Skip to content

0054-rc.local-rc.local File Modified

Rule ID

  • 0054-rc.local

Category

  • system

Level

  • warn

Compatible Versions

  • Linux

Description

  • Monitor the host startup loading files to check if they have been tampered with.

Scan Frequency

  • disable

Theoretical Basis

  • To add a program to the startup in Linux, it is usually done by modifying rc.local. However, there are typically two rc.local files in Linux: /etc/rc.local (a symbolic link) and /etc/init.d/rc.local (the actual file). By using MD5sum to calculate the MD5 checksum of the file and comparing the old and new checksums, we can detect if the file has been modified.

Risk Items

  • Hacker penetration
  • Data leakage
  • Network security
  • Mining risk
  • Botnet risk

Audit Method

  • Verify whether /etc/rc.local on the host has been illegally modified. You can use the following command to check: 
    md5sum /etc/rc.local

Remediation

  • If /etc/rc.local on the host has been illegally modified, carefully inspect the host environment for signs of intrusion and change the host user password.

Impact

  • Abnormal boot, starting abnormal processes, tampering with system environment variables, executing high-risk commands

Default Value

  • Inconsistent; modify according to the environment

References

  • None

CIS Controls

  • None

Feedback

Is this page helpful? ×