0056-rc.local-priv-rc.local Permissions Modified¶

Rule ID¶

• 0056-rc.local-priv

Category¶

• system

Level¶

• warn

Compatible Versions¶

• Linux

Description¶

• Monitor whether the permissions of the host file /etc/rc.local have been modified.

Scan Frequency¶

• 1 */5 * * *

Theoretical Basis¶

• The rc.local script is a script that automatically runs after a Linux system boots. Additional commands that need to run at startup can be added to this script.

Risk Items¶

• Function Unavailable

Audit Method¶

• Run the following command and verify that Uid and Gid are both 0/root, and the permissions are 755:

stat /etc/rc.d/rc.local
Access: (0755/-rwxr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)

Remediation¶

• If it is detected that the permissions of the /etc/rc.local file have been changed, log in to the server as the root user to restore the permissions and audit this change.

Impact¶

• None

Default Value¶

• None

References¶

• Emergency Response Steps for Hacker Intrusion (Unofficial)

• Analysis of a Real Mining Intrusion Investigation (Unofficial)

CIS Controls¶

• None