UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The read and write access to a TSIG key file used by a BIND 9.x server must be restricted to only the account that runs the name server software.


Overview

Finding ID Version Rule ID IA Controls Severity
V-72441 BIND-9X-001112 SV-87065r1_rule Medium
Description
Weak permissions of a TSIG key file could allow an adversary to modify the file, thus defeating the security objective.
STIG Date
BIND 9.x Security Technical Implementation Guide 2017-05-26

Details

Check Text ( C-72643r1_chk )
Verify permissions assigned to the TSIG keys enforce read-write access to the key owner and deny access to group or system users:

With the assistance of the DNS Administrator, determine the location of the TSIG keys used by the BIND 9.x implementation:

# ls –al
-rw-------. 1 named named 76 May 10 20:35 tsig-example.key

If the key files are more permissive than 600, this is a finding.
Fix Text (F-78795r1_fix)
Change the permissions of the TSIG key files:

# chmod 600