Check: DNS4460
BIND DNS STIG:
DNS4460
(in version v4 r1.2)
Title
It is possible to obtain a command shell by logging on to the DNS user account. (Cat III impact)
Discussion
If an intruder gains access to a command shell, the intruder may be able to execute unauthorized commands.
Check Content
The SA should enter the following command (this command assumes that named is running as user dnsuser): grep dnsuser /etc/passwd Based on the command output, the reviewer can identify whether a shell exists for dnsuser. The shell should be /dev/null or /bin/false. If it is a legitimate shell, then this is a finding.
Fix Text
The SA should edit /etc/passwd and change the shell of the DNS user account to /bin/false, /dev/null, or an alternative producing a similar effect.
Additional Identifiers
Rule ID: SV-3619r1_rule
Vulnerability ID: V-3619
Group Title:
Expert Comments
Expert comments are only available to logged-in users.
CCIs
CCIs tied to check.
| Number | Definition |
|---|---|
| No CCIs are assigned to this check |
Controls
Controls tied to check. These are derived from the CCIs shown above.
| Number | Title |
|---|---|
| No controls are assigned to this check |