Free DISA STIG and SRG Library | Vaulted

V-72441

The read and write access to a TSIG key file used by a BIND 9.x server must be restricted to only the account that runs the name server software.

Finding ID
BIND-9X-001112
Rule ID
SV-87065r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000176-DNS-000019
CCI
CCI-000186
Target Key
(None)
Documentable
No
Discussion

Weak permissions of a TSIG key file could allow an adversary to modify the file, thus defeating the security objective.

Fix Text

Change the permissions of the TSIG key files: # chmod 600 <TSIG_key_file>

Check Content

Verify permissions assigned to the TSIG keys enforce read-write access to the key owner and deny access to group or system users: With the assistance of the DNS Administrator, determine the location of the TSIG keys used by the BIND 9.x implementation: # ls –al <TSIG_Key_Location> -rw-------. 1 named named 76 May 10 20:35 tsig-example.key If the key files are more permissive than 600, this is a finding.