Check: DNS0140
DNS Policy:
DNS0140
(in versions v4 r1.22 through v4 r1.2)
Title
Configuration change logs and justification for changes are not maintained. (Cat II impact)
Discussion
If changes are made to the configuration without documentation, it is often difficult to determine the root cause of an operational problem or understand the circumstances in which a security breach occurred. Without adequate configuration change records, it is also more difficult for the IAO and other oversight personnel to track major activity, which is critical to information assurance.
Check Content
The DNS configuration change log must note the date and time any DNS configuration files were modified and the business justification for that modification. Unless the business justification is routinely so vague as to be meaningless (e.g., “user request” for every entry), the reviewer should not second-guess what constitutes an acceptable business rationale. Instruction: If there is no configuration change log, then this is a finding. If there are such records, then entries must include the date and time of any change and the business rationale for the change. Failure to include this information for any entry is a finding.
Fix Text
The IAO should implement, maintain, and periodically check compliance with configuration management requirements. The configuration change log should include, at a minimum, the date and time of any modifications to the DNS configuration files and the business justification for that modification.
Additional Identifiers
Rule ID: SV-13607r1_rule
Vulnerability ID: V-13039
Group Title: Configuration change logs are not maintained.
Expert Comments
CCIs
Number | Definition |
---|---|
No CCIs are assigned to this check |
Controls
Number | Title |
---|---|
No controls are assigned to this check |