UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The TSIG keys used with the BIND 9.x implementation must be group owned by a privileged account.


Overview

Finding ID Version Rule ID IA Controls Severity
V-72439 BIND-9X-001111 SV-87063r1_rule Medium
Description
Incorrect ownership of a TSIG key file could allow an adversary to modify the file, thus defeating the security objective.
STIG Date
BIND 9.x Security Technical Implementation Guide 2019-06-28

Details

Check Text ( C-72641r1_chk )
With the assistance of the DNS Administrator, identify all of the TSIG keys used by the BIND 9.x implementation.

Identify the account that the "named" process is running as:

# ps -ef | grep named
named 3015 1 0 12:59 ? 00:00:00 /usr/sbin/named -u named -t /var/named/chroot

With the assistance of the DNS Administrator, determine the location of the TSIG keys used by the BIND 9.x implementation.

# ls –al
-rw-------. 1 named named 76 May 10 20:35 tsig-example.key

If any of the TSIG keys are not group owned by the above account, this is a finding.
Fix Text (F-78793r1_fix)
Change the group ownership of the TSIG keys to the named process group.

# chgrp