Check: DNS0440
BIND DNS STIG:
DNS0440
(in version v4 r1.2)
Title
An integrity checking tool is not installed or not monitoring for modifications to the root.hints and named.conf files. (Cat II impact)
Discussion
An integrity checking tool compares file and directory integrity to the baseline. It can alert the system administrator to unauthorized changes in files or directories. Unauthorized changes in files and directories can give a user unauthorized access to system resources. Undetected changes to DNS name server root hints and configuration files is the single greatest risk to the security and stability of the DNS name server. An integrity checking tool (e.g., Tripwire) aids in effectively monitoring and controlling changes to ensure improved security and system availability. This applies to both authoritative and caching name servers.
Check Content
UNIX Instruction: The reviewer must work with the SA to obtain the program name. In the presence of the reviewer, the SA should enter the following command to confirm the integrity checking tool is installed and running: ps –ef | grep process name If an integrity checking tool is not installed and running, then this is a finding. With the assistance of the SA, confirm that the integrity checking tool is monitoring for any modifications to the root hints and name server’s configuration (e.g., named.conf), if this is not the case, then this is a finding. If using ISC BIND name server software, common names for the root hints file are root.hints, named.cache, or db.cache. The name is configurable within the named.conf file. rndc.conf will be protected in the same manner. Windows Instruction: The reviewer must work with the SA to obtain the service name. Instruction: The reviewer should examine the Windows Services GUI to identify started services (in Windows 2000/2003, right click on “My Computer” and select “Manage”. In the left windowpane, click on “Services and Applications”. A list of services is displayed in the right windowpane. Click on the “Status” column heading to sort by status. The started services will be grouped together). Also check the “Applications” tab of “Task Manager” for applications that do not run as a service (Simultaneously press Ctrl-Alt-Del keys and select the “Applications” tab). The reviewer should be able to determine if an integrity checking tool is installed and running. If an integrity checking tool is not installed and running, then this is a finding. With the assistance of the SA, confirm that the integrity checking tool is monitoring for any modifications to the root hints, which can be found C:/Windows/System32/DNS/cache.dns. In addition ensure the tool is checking the zone files. Active directory zone files are stored in the active directory database. The database can be found using the windows search feature and locating the ntds.dit file which is the database. For non-active directory zones, obtain the name of the zone from the DNS management console list of forward zones. Enter the zone name into the windows search and it will display the path to the actual zone files, normally found in a backup directory.
Fix Text
The SA should install an integrity checking tool on the name server and configure the tool to monitor for any modifications to the root.hints and name server configuration files.
Additional Identifiers
Rule ID: SV-4479r2_rule
Vulnerability ID: V-4479
Group Title:
Expert Comments
CCIs
Number | Definition |
---|---|
No CCIs are assigned to this check |
Controls
Number | Title |
---|---|
No controls are assigned to this check |