High-Risk Commands
High-risk commands affect the normal running of the system or services, or cause special system files to be maliciously deleted or modified. For high-risk commands related to Automation, see Table 1.
High-Risk Command Name |
Verification Rule |
Example |
Risk |
|---|---|---|---|
vi /etc/xxx.xx command |
\\s*(vi|vim)\\s+/(boot|etc|lib|sys|selinux|bin|sbin|root|usr|var|proc|opt|srv)+\\s* |
vi /etc/vconsole.conf |
Modifying system files may affect the normal running of the system and services or make your system unrecoverable. |
service xxx restart/stop command |
\\s*service\\s+.*\\s+(restart|stop)\\s* |
service network stop |
If a command contains service xxx restart/stop, services may be restarted or stopped, affecting the normal running of the system or services. |
mkfs.ext3 /dev/sdxxx command |
\\s*mkfs\\.ext3\\s+/dev/[a-z]d[a-z]+\\s* |
mkfs.ext3 /dev/sda |
If a command contains mkfs.ext3 /dev/xdxxx, the block device will be formatted, making your system unrecoverable. |
umount command |
\\s*umount\\s+.* |
umount -v /dev/sda1 |
The normal running of the system or services may be affected. |
poweroff command |
\\s*poweroff\\s* |
poweroff |
If a command contains poweroff, hosts may be powered off, affecting the system or service running. |
kill command |
\\s*kill\\s+.* |
kill 12345 |
If a command contains kill, the running programs or tasks may be deleted, affecting the normal running of the system or services. |
mv xxx /dev/null command |
\\s*mv\\s+.*\\s+/dev/null\\s* |
mv test /dev/null |
If a command contains mv xxx /dev/null, xxx files may be deleted. |
xxx > /dev/sdx command |
\\s*.*\\s+>\\s+/dev/sd[a-z]+\\s* |
cat test.txt > /dev/sda |
If a command contains > /dev/xdx, all data in the path may be lost. |
init 0 command |
\\s*init\\s+0\\s* |
init 0 |
If a command contains init 0, hosts may be shut down, affecting the normal running of the system or services. |
reboot command |
\\s*reboot\\s* |
reboot |
If a command contains reboot, a device may be restarted, affecting the normal running of the system or services. |
halt command |
\\s*halt\\s* |
halt |
If a command contains halt, a device may be powered off, affecting the normal running of the system or services. |
Fork Bomb |
\\s*:\\(\\)\\{:\\|:&\\};:\\s* |
:(){:|:&};: |
Command injection attacks may occur, causing system breakdown. |
rm command |
\\s*rm\\s+.* |
rm test.txt |
If a command contains rm, special system files may be maliciously deleted or modified. |
> file command |
\\s*>\\s+.* |
> file |
If a command contains >, the file content may be cleared. |
dd if=/dev/random of=/dev/sdxxx command |
\\s*dd\\s+if=/dev/random\\s+of=/dev/sd[a-z]+\\s* |
dd if=/dev/random of=/dev/sda |
Random junk files are written to block device sdxxx to erase data. As a result, the system may become disordered and cannot be recovered. |
shutdown command |
\\s*shutdown\\s+.* |
shutdown -h now |
If a command contains shutdown, hosts may be shut down, affecting the system or service running. |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
