Title

Permissions on critical UNIX name server files are not as restrictive as required. (Cat II impact)

Discussion

Weak permissions could allow an intruder to view or modify zone, configuration and/or program files.

Check Content

Using the ls –l command from the directory containing the core BIND files, check that the permissions for the files listed are at least as restrictive as those listed: named.conf - owner: root, group: dnsgroup, permissions: 640 named.pid - owner: root, group: dnsgroup, permissions: 600 root hints - owner: root, group: dnsgroup, permissions: 640 master zone file - owner: root, group: dnsgroup, permissions: 640 slave zone file - owner: root, group: dnsgroup, permissions: 660 The name of the root hints file is defined in named.conf. Common names for the file are root.hints, named.cache, or db.cache.

Fix Text

The SA should modify permissions so that they are at least as restrictive as specified in the DNS STIG.

Additional Identifiers

Rule ID: SV-3620r1_rule

Vulnerability ID: V-3620

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.