Title

Entries in the name server logs do not contain timestamps and severity information. (Cat III impact)

Discussion

Forensic analysis of security incidents and day-to-day monitoring are substantially more difficult if there are no timestamps on log entries.

Check Content

BIND Instruction: Based on the logging statement in named.conf, the reviewer can determine where the DNS logs are located. If there logging is not configured, then this is a finding. These logs (which in many cases are likely to be the system logs), should be viewed using the UNIX cat or tail commands, a text editor, or – in the case of Windows – the “Event Viewer.” When examining the logs, the reviewer should ensure that entries have timestamps and severity codes. If timestamps and severity codes are not found on one or more entries, then this is a finding. logging { channel channel_name file path_name | syslog syslog_facility severity (critical | error | warning | notice | info | debug [level]| dynamic);] print-severity yes/no; print-time yes/no; }; category category_name { channel_name ; [ channel_name ; … }; }; Instruction: If the DNS entries in the logs do not note their severity (i.e., critical, error, warning, notice, or info), then this constitutes a finding. Windows DNS Windows DNS software adds timestamps and severity information by default. In cases in which the name server is not running BIND or Windows DNS, the reviewer must still examine the configuration and its documentation to validate this requirement.

Fix Text

The DNS software administrator should configure the DNS software to add timestamps and severity information to each entry in all logs. Configuration details for BIND may be found in the DNS STIG Section 4.2.5.

Additional Identifiers

Rule ID: SV-4490r2_rule

Vulnerability ID: V-4490

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.