code/linux/audit/linux-legacy-services-enabled.yaml

id: linux-legacy-services-enabled

info:
  name: DoS Vulnerable Service Enabled
  author: songyaeji
  severity: high
  description: |
    Services such as echo, discard, daytime, and chargen were enabled on the system, allowing attackers to exploit them to extract system information or launch denial-of-service (DoS) attacks.These legacy services were required to be disabled unless explicitly needed.
  reference:
    - https://isms.kisa.or.kr
  tags: local,linux,audit,kisa,compliance

self-contained: true

code:
  - engine:
      - bash
    source: |
      if [ -f "/etc/xinetd.d/echo" ] && grep -iq 'disable[[:space:]]*=[[:space:]]*no' "/etc/xinetd.d/echo"; then
        echo "[VULNERABLE] echo service is enabled in /etc/xinetd.d/echo"
      else
        echo "[SAFE] echo service is disabled or not present"
      fi

  - engine:
      - bash
    source: |
      if [ -f "/etc/xinetd.d/discard" ] && grep -iq 'disable[[:space:]]*=[[:space:]]*no' "/etc/xinetd.d/discard"; then
        echo "[VULNERABLE] discard service is enabled in /etc/xinetd.d/discard"
      else
        echo "[SAFE] discard service is disabled or not present"
      fi

  - engine:
      - bash
    source: |
      if [ -f "/etc/xinetd.d/daytime" ] && grep -iq 'disable[[:space:]]*=[[:space:]]*no' "/etc/xinetd.d/daytime"; then
        echo "[VULNERABLE] daytime service is enabled in /etc/xinetd.d/daytime"
      else
        echo "[SAFE] daytime service is disabled or not present"
      fi

  - engine:
      - bash
    source: |
      if [ -f "/etc/xinetd.d/chargen" ] && grep -iq 'disable[[:space:]]*=[[:space:]]*no' "/etc/xinetd.d/chargen"; then
        echo "[VULNERABLE] chargen service is enabled in /etc/xinetd.d/chargen"
      else
        echo "[SAFE] chargen service is disabled or not present"
      fi

    matchers:
      - type: word
        name: echo
        part: code_1_response
        words:
          - "[VULNERABLE]"

      - type: word
        name: daytime
        part: code_2_response
        words:
          - "[VULNERABLE]"

      - type: word
        name: chargen
        part: code_3_response
        words:
          - "[VULNERABLE]"

      - type: word
        name: discard
        part: code_4_response
        words:
          - "[VULNERABLE]"
# digest: 4a0a0047304502202cf91c265090819bbe6e79552565776586d650aba479c020577e231fe19482af022100d2ed2e30103881d316dbe4f9d4b517a6e63b4c44a950ce6c5f1468f23914491d:922c64590222798bb761d5b6d8e72950
Directory & Templates - update 2025-08-22 17:56:12 +05:30			`id: linux-legacy-services-enabled`

			`info:`
			`name: DoS Vulnerable Service Enabled`
			`author: songyaeji`
			`severity: high`
			`description: \|`
			`Services such as echo, discard, daytime, and chargen were enabled on the system, allowing attackers to exploit them to extract system information or launch denial-of-service (DoS) attacks.These legacy services were required to be disabled unless explicitly needed.`
			`reference:`
			`- https://isms.kisa.or.kr`
tags - update 2025-08-22 17:58:20 +05:30			`tags: local,linux,audit,kisa,compliance`
Directory & Templates - update 2025-08-22 17:56:12 +05:30
			`self-contained: true`

			`code:`
			`- engine:`
			`- bash`
			`source: \|`
			`if [ -f "/etc/xinetd.d/echo" ] && grep -iq 'disable[[:space:]]=[[:space:]]no' "/etc/xinetd.d/echo"; then`
			`echo "[VULNERABLE] echo service is enabled in /etc/xinetd.d/echo"`
			`else`
			`echo "[SAFE] echo service is disabled or not present"`
			`fi`

			`- engine:`
			`- bash`
			`source: \|`
			`if [ -f "/etc/xinetd.d/discard" ] && grep -iq 'disable[[:space:]]=[[:space:]]no' "/etc/xinetd.d/discard"; then`
			`echo "[VULNERABLE] discard service is enabled in /etc/xinetd.d/discard"`
			`else`
			`echo "[SAFE] discard service is disabled or not present"`
			`fi`

			`- engine:`
			`- bash`
			`source: \|`
			`if [ -f "/etc/xinetd.d/daytime" ] && grep -iq 'disable[[:space:]]=[[:space:]]no' "/etc/xinetd.d/daytime"; then`
			`echo "[VULNERABLE] daytime service is enabled in /etc/xinetd.d/daytime"`
			`else`
			`echo "[SAFE] daytime service is disabled or not present"`
			`fi`

			`- engine:`
			`- bash`
			`source: \|`
			`if [ -f "/etc/xinetd.d/chargen" ] && grep -iq 'disable[[:space:]]=[[:space:]]no' "/etc/xinetd.d/chargen"; then`
			`echo "[VULNERABLE] chargen service is enabled in /etc/xinetd.d/chargen"`
			`else`
			`echo "[SAFE] chargen service is disabled or not present"`
			`fi`

			`matchers:`
			`- type: word`
			`name: echo`
			`part: code_1_response`
			`words:`
			`- "[VULNERABLE]"`

			`- type: word`
			`name: daytime`
			`part: code_2_response`
			`words:`
			`- "[VULNERABLE]"`

			`- type: word`
			`name: chargen`
			`part: code_3_response`
			`words:`
			`- "[VULNERABLE]"`

			`- type: word`
			`name: discard`
			`part: code_4_response`
			`words:`
chore: sign templates 🤖 2025-08-23 06:50:02 +00:00			`- "[VULNERABLE]"`
			`# digest: 4a0a0047304502202cf91c265090819bbe6e79552565776586d650aba479c020577e231fe19482af022100d2ed2e30103881d316dbe4f9d4b517a6e63b4c44a950ce6c5f1468f23914491d:922c64590222798bb761d5b6d8e72950`