Free DISA STIG and SRG Library | Vaulted

V-72439

The TSIG keys used with the BIND 9.x implementation must be group owned by a privileged account.

Finding ID
BIND-9X-001111
Rule ID
SV-87063r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000176-DNS-000018
CCI
CCI-000186
Target Key
(None)
Documentable
No
Discussion

Incorrect ownership of a TSIG key file could allow an adversary to modify the file, thus defeating the security objective.

Fix Text

Change the group ownership of the TSIG keys to the named process group. # chgrp <named_proccess_group> <TSIG_key_file>

Check Content

With the assistance of the DNS Administrator, identify all of the TSIG keys used by the BIND 9.x implementation. Identify the account that the "named" process is running as: # ps -ef | grep named named 3015 1 0 12:59 ? 00:00:00 /usr/sbin/named -u named -t /var/named/chroot With the assistance of the DNS Administrator, determine the location of the TSIG keys used by the BIND 9.x implementation. # ls –al <TSIG_Key_Location> -rw-------. 1 named named 76 May 10 20:35 tsig-example.key If any of the TSIG keys are not group owned by the above account, this is a finding.