Free DISA STIG and SRG Library | Vaulted

V-12966

Inadequate file permissions on BIND name servers.

Finding ID
DNS4480
Rule ID
SV-13534r3_rule
Severity
Cat II
CCE
(None)
Group Title
Inadequate file permissions on BIND NS.
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Weak permissions could allow an intruder to view or modify zone, configuration and/or program files.

Fix Text

The SA will ensure that the file permissions on BIND 8 files as well as the log and TSIG key files are set in accordance with the DNS STIG requirements.

Check Content

On BIND name servers, the following minimum permissions, or more restrictive, must be set: named.run - owner: root, group: dnsgroup, permissions: 660 named_dump.db - owner: root, group: dnsgroup, permissions: 660 ndc (FIFO) - owner: root, group: dnsgroup, permissions: 660 ndc.d (directory containing ndc) - owner: root, group: dnsgroup, permissions: 700 The following must be set on log files: any log file - owner: dnsuser, group: dnsgroup, permissions: 660 The following must be set on TSIG keys: unique to each key - owner: dnsuser, group: dnsgroup, permissions: 400 More hardened permissions are recommended and would not be considered a finding if more restrictive permissions are set (i.e., setting unique to each key - owner: dnsuser, group: dnsgroup, permissions: 440) If permissions are not set to the required minimum permissions specified above, or more restrictive, this is a finding.

Responsibility

System Administrator

IA Controls

ECCD-1, ECCD-2