Title

Inadequate file permissions on BIND name servers. (Cat II impact)

Discussion

Weak permissions could allow an intruder to view or modify zone, configuration and/or program files.

Check Content

On BIND name servers, the following minimum permissions, or more restrictive, must be set: named.run - owner: root, group: dnsgroup, permissions: 660 named_dump.db - owner: root, group: dnsgroup, permissions: 660 ndc (FIFO) - owner: root, group: dnsgroup, permissions: 660 ndc.d (directory containing ndc) - owner: root, group: dnsgroup, permissions: 700 The following must be set on log files: any log file - owner: dnsuser, group: dnsgroup, permissions: 660 The following must be set on TSIG keys: unique to each key - owner: dnsuser, group: dnsgroup, permissions: 400 More hardened permissions are recommended and would not be considered a finding if more restrictive permissions are set (i.e., setting unique to each key - owner: dnsuser, group: dnsgroup, permissions: 440) If permissions are not set to the required minimum permissions specified above, or more restrictive, this is a finding.

Fix Text

The SA will ensure that the file permissions on BIND 8 files as well as the log and TSIG key files are set in accordance with the DNS STIG requirements.

Additional Identifiers

Rule ID: SV-13534r3_rule

Vulnerability ID: V-12966

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.