code/linux/audit/writable-xinetdconf.yaml

id: writable-xinetdconf

info:
  name: /etc/(x)inetd.conf Permission Check
  author: songyaeji
  severity: high
  description: |
    The /etc/xinetd.conf or /etc/inetd.conf file was writable by non-root users, allowing them to register malicious services that executed with root privileges. This check verified that the file was owned by root and had secure permissions.
  reference:
    - https://isms.kisa.or.kr/main/csap/notice/
  tags: linux,code,audit,compliance,local

self-contained: true

code:
  - engine:
      - bash

    source: |
      stat -c "%U %G %a" /etc/xinetd.conf 2>/dev/null || echo "not-found"

  - engine:
      - bash

    source: |
      stat -c "%U %G %a" /etc/inetd.conf 2>/dev/null || echo "not-found"

    matchers:
      - type: regex
        part: code_1_response
        regex:
          - '^root\s+root\s+(600|640|644)$'

      - type: regex
        part: code_2_response
        regex:
          - '^root\s+root\s+(600|640|644)$'
# digest: 4b0a00483046022100f9e2b4d4854c4faed398fd6c5e299a7c6d5dd3a8dcdd9f23628da4e55d6b46ea022100b6e27004a72fa0636b953155d65962851a0385ecd48edcf978aaea25541f5c84:922c64590222798bb761d5b6d8e72950
templates - update 2025-08-21 14:52:08 +05:30			`id: writable-xinetdconf`

			`info:`
			`name: /etc/(x)inetd.conf Permission Check`
			`author: songyaeji`
			`severity: high`
fix-spacing 2025-08-21 17:13:49 +05:30			`description: \|`
templates - update 2025-08-21 14:52:08 +05:30			`The /etc/xinetd.conf or /etc/inetd.conf file was writable by non-root users, allowing them to register malicious services that executed with root privileges. This check verified that the file was owned by root and had secure permissions.`
			`reference:`
			`- https://isms.kisa.or.kr/main/csap/notice/`
			`tags: linux,code,audit,compliance,local`

			`self-contained: true`

			`code:`
			`- engine:`
			`- bash`
fix-spacing 2025-08-21 17:13:49 +05:30
templates - update 2025-08-21 14:52:08 +05:30			`source: \|`
			`stat -c "%U %G %a" /etc/xinetd.conf 2>/dev/null \|\| echo "not-found"`

			`- engine:`
			`- bash`
fix-spacing 2025-08-21 17:13:49 +05:30
templates - update 2025-08-21 14:52:08 +05:30			`source: \|`
			`stat -c "%U %G %a" /etc/inetd.conf 2>/dev/null \|\| echo "not-found"`

			`matchers:`
			`- type: regex`
			`part: code_1_response`
			`regex:`
			`- '^root\s+root\s+(600\|640\|644)$'`

			`- type: regex`
			`part: code_2_response`
			`regex:`
fix-spacing 2025-08-21 17:13:49 +05:30			`- '^root\s+root\s+(600\|640\|644)$'`
chore: sign templates 🤖 2025-08-21 12:45:03 +00:00			`# digest: 4b0a00483046022100f9e2b4d4854c4faed398fd6c5e299a7c6d5dd3a8dcdd9f23628da4e55d6b46ea022100b6e27004a72fa0636b953155d65962851a0385ecd48edcf978aaea25541f5c84:922c64590222798bb761d5b6d8e72950`