Inspired by 'Autoruns' from Sysinternals, RCLocals analyzes all Linux startup possibilities to find backdoors, also performs process integrity verification, scan for DLL injected processes and much more
·List GPG keys trusted by the system
·Installed Packages
·File integrity
·Process integrity (process and libraries loaded in a process that not belongs to any installed package)
·Processes with name spoofed (processes that use prctl() to change their name in /bin/ps)
·CRON entries
·RC files
·X system startup files
·Active Systemd Units
·Systemd Timer Units
·tmpfiles.d
·linger users
·Hashing binaries and libs + searching in CYMRU malware hash registry https://team-cymru.com/community-services/mhr/
Debian/Ubuntu and derivatives: install debsums # apt-get install debsums
All platforms: pay attention to non default Python modules (colorama and DNS)
For only suspicious information:
#python3 rclocals.py --triage
For detailed information:
#python3 rclocals.py --all
