Check: DNS0485
BIND DNS STIG:
DNS0485
(in version v4 r1.2)
Title
The DNS software must log success and failure events when starting and stopping of the name server service daemon, zone transfers, zone update notifications, and dynamic updates. (Cat I impact)
Discussion
Logging must be comprehensive to be useful for both intrusion monitoring and security investigations. Setting logging at the severity notice should capture most relevant events without requiring unacceptable levels of data storage. The severity levels info and debug are also available to organizations that require additional logging for certain events or applications.
Check Content
The default level for logging was modified in BIND version 9.7. Starting at that version logging is set to debugging level by default. Therefore, if the logging statement is missing AND the version is 9.7 or more recent, this is NOT a finding. For a BIND configuration for versions before 9.7, if a logging statement is present, it will have the form: logging { channel channel_name file path_name | syslog syslog_facility severity (critical | error | warning | notice | info | debug [level]| dynamic);] print-severity yes/no; print-time yes/no; }; category category_name { channel_name ; [ channel_name ; … }; }; Instruction: If a logging statement is not present and the BIND version is prior to 9.7, then this is a finding. The reviewer will look at the severity clause in each of the channel phrases of the logging statement. It should read either notice, info or debug for each defined channel (although debug would not typically appear unless the review is concurrent with a troubleshooting effort). If the logging statement is not properly configured, then this is a finding. NOTE: Debug level may cause operational issues due to log file sizes and is therefore not a requirement for anything other than troubleshooting purposes. Windows DNS Instruction: For a Windows 2003 DNS configuration: On the “Logging Tab” or “Debug Logging” tab of the “DNS Server Properties” dialog box, if “Log Packets for “Notify” and “Update” are not checked, then this is a finding. Mitigation: A violation of this requirement can have one of two severity levels depending upon the extent of the violation. If no logging exists, then the discrepancy would be a Category I finding. If some logging exists, but not for all of the events listed, then the discrepancy would be a Category II finding.
Fix Text
The DNS software administrator will configure the DNS software to log, at a minimum, success and failure of the following events: - start and stop of the name server service or daemon - zone transfers - zone update notifications - dynamic updates
Additional Identifiers
Rule ID: SV-4488r3_rule
Vulnerability ID: V-4488
Group Title:
Expert Comments
CCIs
Number | Definition |
---|---|
No CCIs are assigned to this check |
Controls
Number | Title |
---|---|
No controls are assigned to this check |