Title

The read and write access to a TSIG key file used by a BIND 9.x server must be restricted to only the account that runs the name server software. (Cat II impact)

Discussion

Weak permissions of a TSIG key file could allow an adversary to modify the file, thus defeating the security objective.

Check Content

Verify permissions assigned to the TSIG keys enforce read-write access to the key owner and deny access to group or system users. With the assistance of the DNS administrator, determine the location of the TSIG keys used by the BIND 9.x implementation: # ls -al <TSIG_Key_Location> -rw-------. 1 named named 76 May 10 20:35 tsig-example.key If the key files are more permissive than 600, this is a finding.

Fix Text

Change the permissions of the TSIG key files: # chmod 600 <TSIG_key_file>

Additional Identifiers

Rule ID: SV-272375r1082247_rule

Vulnerability ID: V-272375

Group Title: SRG-APP-000176-DNS-000019

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.