id: rw-hosts-file

info:
  name: /etc/hosts File Read/Write Check
  author: songyaeji
  severity: high
  description: |
    The /etc/hosts file was writable by non-root users, allowing attackers to register malicious DNS mappings and redirect legitimate domains (pharming attacks). This check verified that /etc/hosts was owned by root and had appropriate permissions.
  reference:
    - https://isms.kisa.or.kr/main/csap/notice/
  metadata:
    verified: true
  tags: local,linux,hosts,file,audit,kisa

self-contained: true

code:
  - engine:
      - sh
      - bash
    source: |
      stat -c "%U %G %a" /etc/hosts 2>/dev/null || echo "not-found"

    matchers:
      - type: regex
        part: response
        regex:
          - '^root\s+root\s+(600|644)$'
# digest: 4a0a00473045022017a5a0e8603f419052c28b1a4247cf2ad1427ed06e840c85cb976599aba89ac50221009d55c0bde34158f8e63bfd6c2a090e801dd4271f75947ef4ad2d9baa133294ab:922c64590222798bb761d5b6d8e72950