Title

A BIND 9.x server implementation must be running in a chroot(ed) directory structure. (Cat II impact)

Discussion

With any network service, there is the potential that an attacker can exploit a vulnerability within the program that allows the attacker to gain control of the process and even run system commands with that control. One possible defense against this attack is to limit the software to particular quarantined areas of the file system, memory, or both. This effectively restricts the service so that it will not have access to the full file system. If such a defense were in place, even if an attacker gained control of the process, the attacker would be unable to reach other commands or files on the system. This approach often is referred to as a padded cell, jail, or sandbox. All of these terms allude to the fact that the software is contained in an area where it cannot harm itself or others. A more technical term is a chroot(ed) directory structure. BIND must be configured to run in a padded cell or chroot(ed) directory structure.

Check Content

Verify that the directory structure where the primary BIND 9.x server configuration files are stored is running in a chroot(ed) environment or a containerized environment: # ps -ef | grep named named 3015 1 0 12:59 ? 00:00:00 /usr/sbin/named -u named -t /var/named/chroot If the output does not contain "-t <chroot_path>" and the named process is not running in a container, this is a finding.

Fix Text

Configure the BIND 9.x server to operate in a chroot(ed) directory structure.

Additional Identifiers

Rule ID: SV-272422r1124005_rule

Vulnerability ID: V-272422

Group Title: SRG-APP-000243-DNS-000034

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.