Check: BIND-9X-001660
BIND 9.x STIG:
BIND-9X-001660
(in version v3 r0.1)
Title
In the event of an error when validating the binding of other DNS servers' identity to the BIND 9.x information, when anomalies in the operation of the signed zone transfers are discovered, for the success and failure of start and stop of the name server service or daemon, and for the success and failure of all name server events, a BIND 9.x server implementation must generate a log entry. (Cat II impact)
Discussion
Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being performed on the system, where an event occurred, when an event occurred, and by whom the event was triggered, to compile an accurate risk assessment. Logging the actions of specific events provides a means to investigate an attack, to recognize resource utilization or capacity thresholds, or to simply identify an improperly configured DNS system. If auditing is not comprehensive, it will not be useful for intrusion monitoring, security investigations, and forensic analysis. The DNS server should audit all failed attempts at server authentication through DNSSEC and TSIG. The actual auditing is performed by the OS/NDM but the configuration to trigger the auditing is controlled by the DNS server. Failing to act on the validation errors may result in the use of invalid, corrupted, or compromised information. The validation of bindings can be achieved, for example, by the use of cryptographic checksums. Validations must be performed automatically. The DNS server does not have the capability of shutting down or restarting the information system. The DNS server can be configured to generate audit records when anomalies are discovered. Satisfies: SRG-APP-000350-DNS-000044, SRG-APP-000089-DNS-000005, SRG-APP-000504-DNS-000074, SRG-APP-000504-DNS-000082, SRG-APP-000474-DNS-000073
Check Content
Verify the name server is configured to log error messages with a severity of "info": Inspect the "named.conf" file for the following: logging { channel channel_name { severity info; }; If the "severity" sub statement is not set to "info", this is a finding. Note: Setting the "severity" sub statement to "info" will log all messages for the following severity levels: Critical, Error, Warning, Notice, and Info.
Fix Text
Edit the "named.conf" file. Add the "severity" sub statement to the "channel" statement. Configure the "severity" sub statement to "info". Restart the BIND 9.x process.
Additional Identifiers
Rule ID: SV-272418r1068281_rule
Vulnerability ID: V-272418
Group Title: SRG-APP-000350-DNS-000044
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000169 |
Provide audit record generation capability for the event types the system is capable of auditing as defined in AU-2 a on organization-defined information system components. |
| CCI-000172 |
Generate audit records for the event types defined in AU-2 c that include the audit record content defined in AU-3. |
| CCI-000366 |
Implement the security configuration settings. |
| CCI-001906 |
Perform organization-defined actions in the event of an error when validating the binding of the information producer identity to the information. |
| CCI-002702 |
Shut the system down, restart the system, and/or initiate organization-defined alternative action(s) when anomalies in the operation of the organization-defined security functions are discovered. |