id: etc-services-permission-check

info:
  name: /etc/services Permission Check
  author: songyaeji
  severity: high
  description: |
    The /etc/services file was not owned by root or had excessive permissions,allowing attackers to alter port assignments to redirect services or open unauthorized ports.
  reference:
    - https://isms.kisa.or.kr
  tags: linux,code,audit,compliance,local

self-contained: true

code:
  - engine:
      - sh
      - bash
    source: |
      stat -c "%U %G %a" /etc/services 2>/dev/null || echo "not-found"

    matchers:
      - type: regex
        part: response
        regex:
          - '^root\s+root\s+(600|640|644)$'
# digest: 490a0046304402206191a33140f6b945e840ee4d9ffc8ab2021e2fb4da77355e420c2ae192895e160220129ec14176286e2173c8832a4de3c139824553af5b3b2b0f641be80a15384865:922c64590222798bb761d5b6d8e72950