BIND 9.x STIG Version Comparison

BIND 9.x Security Technical Implementation Guide

Comparison

There are 3 differences between versions v1 r9 (April 24, 2020) (the "left" version) and v2 r2 (July 23, 2021) (the "right" version).

Check BIND-9X-001040 was changed between these two versions. Green, underlined text was added, red, struck-out text was removed.

The regular view of the left check and right check may be easier to read.

Text Differences

Title

The BIND 9.x server implementation must be configured with a channel to send audit records to a remote syslog.

Check Content

Verify that the BIND 9.x server is configured to send audit logs to the syslog service. Inspect service. NOTE: syslog and local file channel must be defined for every defined category. Inspect the "named.conf" file for the following: logging { channel <syslog_channel> { syslog <syslog_facility>; }; category <category_name> { <syslog_channel>; }; If a logging channel is not defined for syslog, this is a finding. If a category is not defined to send messages to the syslog channel, this is a finding. Ensure audit records are forwarded to a remote server: # grep "\*.\*" /etc/syslog.conf |grep "@" | grep -v "^#" (for syslog) or: # grep "\*.\*" /etc/rsyslog.conf | grep "@" | grep -v "^#" (for rsyslog) If neither of these lines exist, this is a finding.

Discussion

Protection of log data includes assuring log data is not accidentally lost or deleted. Backing up audit records to a different system or onto separate media than the system being audited on a defined frequency helps to assure, in the event of a catastrophic system failure, the audit records will be retained. This helps to ensure a compromise of the information system being audited does not also result in a compromise of the audit records.

Fix

Configure the "logging" statement to send audit logs to the syslog daemon. logging { channel <syslog_channel> { syslog <syslog_facility>; }; category <category_name> { <syslog_channel>; }; }; Note: It is recommended to use a local syslog facility (i.e. local0 -7) when configuring the syslog channel. Restart the BIND 9.x process. Configure the (r)syslog daemon to send audit logs to a remote server.