Title

The BIND 9.x server implementation must be configured with a channel to send audit records to at least two remote syslogs. (Cat I impact)

Discussion

Protection of log data includes assuring log data is not accidentally lost or deleted. Backing up audit records to a different system or onto separate media than the system being audited on a defined frequency helps to ensure, in the event of a catastrophic system failure, the audit records will be retained. This helps to ensure a compromise of the information system being audited does not also result in a compromise of the audit records.

Check Content

Verify that the BIND 9.x server is configured to send audit logs to at least two syslog servers. Note: syslog and local file channel must be defined for every defined category. Inspect the "named.conf" file for the following: logging { channel <syslog_channel> { syslog <syslog_facility>; }; category <category_name> { <syslog_channel>; }; logging { channel <syslog_channel> { syslog <syslog_facility>; }; category <category_name> { <syslog_channel>; }; If a logging channel is not defined for each syslog, this is a finding. If a category is not defined to send messages to the syslog channels, this is a finding.

Fix Text

Configure the "logging" statement to send audit logs to the syslog daemons. logging { channel <syslog_channel> { syslog <syslog_facility>; }; category <category_name> { <syslog_channel>; }; }; logging { channel <syslog_channel> { syslog <syslog_facility>; }; category <category_name> { <syslog_channel>; }; }; Note: It is recommended to use a local syslog facility (i.e., local0 -7) when configuring the syslog channel. Restart the BIND 9.x process.

Additional Identifiers

Rule ID: SV-272432r1123950_rule

Vulnerability ID: V-272432

Group Title: SRG-APP-000125-DNS-000012

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.