An error occurred:

Check: DNS4440

BIND DNS STIG: DNS4440 (in version v4 r1.2)

Title

BIND is not configured to run as a dedicated non-privileged user account. BIND is running as a root user. (Cat III impact)

Discussion

If an intruder gains control of named (BIND), the intruder will acquire the privileges of the user ID under which it runs. Running as a non-privileged user account limits the extent of any breach. When BIND runs as root (the default) intruders gain full control of the system.

Check Content

: In the presence of the reviewer, the SA should enter the following command: ps –ef | grep ‘named’ > /etc/dns/srr/bindUser.srr The user identification (UID) utilized to run named should be found in the results. If the UID is root (i.e., 0) or another built-in ID, then this constitutes a finding. If it is not, then the next step is to check whether the UID is dedicated to this function. The SA should enter the following command, substituting the UID obtained in the previous step for bindUID: ps –ef | grep ‘bindUID’ > bindUserDaemons.srr If bindUserDeamons.tmp contains daemons/programs other than BIND (named), then this constitutes a finding. If the dedicated user is associated with named only, the next step is to check whether the user ID has any privileges other than those needed to run BIND. To accomplish this, the SA will check the following: - Whether the BIND UID is a member of any group other than dnsgroup. - Whether the BIND UID has permissions to any files other than key files and named.stat. For the first item, the SA should run the following command (substituting the value for bindUID as appropriate): grep ‘bindUID’ /etc/group > /etc/dns/srr/bindUserGroups.srr For the second item, the SA should run the following command (substituting the name of the user ID for dnsuser if applicable): find / -uid bindUID > /etc/dns/srr/bindUserFiles.srr With regards to the first item, if dnsuserGroups.srr contains any entry other than dnsgroup (or its equivalent), then this constitutes a finding. With regards to the second item, if dnsuserFilePermissions.srr contains any entries other than the key files and named.stat, then this constitutes a finding.

Fix Text

The SA should create a new user account dedicated to DNS, configure it per the DNS STIG, and then restart the named process to run as a the new user account.

Additional Identifiers

Rule ID: SV-3617r2_rule

Vulnerability ID: V-3617

Group Title:

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
No CCIs are assigned to this check

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
No controls are assigned to this check