Check: DNS4450
BIND DNS STIG:
DNS4450
(in version v4 r1.2)
Title
A UNIX or UNIX-based name server is running unnecessary daemon/services and/or is configured to start an unnecessary daemon, service, or program upon boot up. (Cat II impact)
Discussion
Unnecessary software running on a name server could introduce security vulnerabilities that would be avoided if it were not present.
Check Content
The reviewer should examine the start-up files to determine whether they launch unnecessary programs. The file /etc/inetd.conf is common to UNIX implementations. The reviewer may use the cat command to view this file. If the file contains any of the daemons listed, this is a finding: If SNMP is used for network management it must be documented and configured in accordance with the UNIX STIG. Below is a list of prohibited services. If any of these processes are running (the reviewer may use the ps –ef | grep service name to verify if the process is running or not), or configured to be started upon boot-up (the reviewer my use the ls command in the /etc/rc2.d or /etc/rc3.d directory), then this is a finding (although inherently dangerous, if SNMP is used for network management purposes, it must be documented and configured in accordance with the UNIX STIG): - NFS client (s73nfs.client in rc2.d) - automounter (s74autofs in rc2.d) - printer queue daemon (s80lp in rc2.d) - RPC portmapper (s71rpc in rc2.d) - CDE login (s99dtlogin in rc2.d) - NFS server process (s15nfs.server in rc3.d) - SNMP daemon (s76snmpdx in rc3.d)
Fix Text
The SA should edit startup files (e.g., inetd.conf) so that the unnecessary programs to not launch on boot-up.
Additional Identifiers
Rule ID: SV-3618r1_rule
Vulnerability ID: V-3618
Group Title:
Expert Comments
CCIs
Number | Definition |
---|---|
No CCIs are assigned to this check |
Controls
Number | Title |
---|---|
No controls are assigned to this check |