Title

For Red Hat Enterprise Linux operating systems using DNS resolution, at least two name servers must be configured. (Cat III impact)

Discussion

To provide availability for name resolution services, multiple redundant name servers are mandated. A failure in name resolution could lead to the failure of security functions requiring name resolution, which may include time synchronization, centralized authentication, and remote system logging.

Check Content

Determine whether the system is using local or DNS name resolution with the following command: # grep hosts /etc/nsswitch.conf hosts: files dns If the DNS entry is missing from the host's line in the "/etc/nsswitch.conf" file, the "/etc/resolv.conf" file must be empty. Verify the "/etc/resolv.conf" file is empty with the following command: # ls -al /etc/resolv.conf -rw-r--r-- 1 root root 0 Aug 19 08:31 resolv.conf If local host authentication is being used and the "/etc/resolv.conf" file is not empty, this is a finding. If the DNS entry is found on the host's line of the "/etc/nsswitch.conf" file, verify the operating system is configured to use two or more name servers for DNS resolution. Determine the name servers used by the system with the following command: # grep nameserver /etc/resolv.conf nameserver 192.168.1.2 nameserver 192.168.1.3 If less than two lines are returned that are not commented out, this is a finding. Verify that the "/etc/resolv.conf" file is immutable with the following command: # sudo lsattr /etc/resolv.conf ----i----------- /etc/resolv.conf If the file is mutable and has not been documented with the Information System Security Officer (ISSO), this is a finding.

Fix Text

Configure the operating system to use two or more name servers for DNS resolution. Edit the "/etc/resolv.conf" file to uncomment or add the two or more "nameserver" option lines with the IP address of local authoritative name servers. If local host resolution is being performed, the "/etc/resolv.conf" file must be empty. An empty "/etc/resolv.conf" file can be created as follows: # echo -n > /etc/resolv.conf And then make the file immutable with the following command: # chattr +i /etc/resolv.conf If the "/etc/resolv.conf" file must be mutable, the required configuration must be documented with the Information System Security Officer (ISSO) and the file must be verified by the system file integrity tool.

Additional Identifiers

Rule ID: SV-204608r603261_rule

Vulnerability ID: V-204608

Group Title: SRG-OS-000480-GPOS-00227

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.