Check: BIND-9X-001110
BIND 9.x STIG:
BIND-9X-001110
(in versions v2 r3 through v1 r1)
Title
The TSIG keys used with the BIND 9.x implementation must be owned by a privileged account. (Cat II impact)
Discussion
Incorrect ownership of a TSIG key file could allow an adversary to modify the file, thus defeating the security objective.
Check Content
With the assistance of the DNS Administrator, identify all of the TSIG keys used by the BIND 9.x implementation. Identify the account that the "named" process is running as: # ps -ef | grep named named 3015 1 0 12:59 ? 00:00:00 /usr/sbin/named -u named -t /var/named/chroot With the assistance of the DNS Administrator, determine the location of the TSIG keys used by the BIND 9.x implementation. # ls –al <TSIG_Key_Location> -rw-------. 1 named named 76 May 10 20:35 tsig-example.key If any of the TSIG keys are not owned by the above account, this is a finding.
Fix Text
Change the ownership of the TSIG keys to the named process is running as. # chown <named_proccess_owner> <TSIG_key_file>.
Additional Identifiers
Rule ID: SV-207563r879613_rule
Vulnerability ID: V-207563
Group Title: SRG-APP-000176-DNS-000018
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000186 |
The information system, for PKI-based authentication, enforces authorized access to the corresponding private key. |
Controls
Number | Title |
---|---|
IA-5 (2) |
Pki-Based Authentication |