The TSIG keys used with the BIND 9.x implementation must be owned by a privileged account.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-207563	BIND-9X-001110	SV-207563r612253_rule		Medium

Description
Incorrect ownership of a TSIG key file could allow an adversary to modify the file, thus defeating the security objective.

STIG	Date
BIND 9.x Security Technical Implementation Guide	2021-06-23

Details

Check Text ( C-7818r283743_chk )
With the assistance of the DNS Administrator, identify all of the TSIG keys used by the BIND 9.x implementation. Identify the account that the "named" process is running as: # ps -ef \| grep named named 3015 1 0 12:59 ? 00:00:00 /usr/sbin/named -u named -t /var/named/chroot With the assistance of the DNS Administrator, determine the location of the TSIG keys used by the BIND 9.x implementation. # ls –al -rw-------. 1 named named 76 May 10 20:35 tsig-example.key If any of the TSIG keys are not owned by the above account, this is a finding.

Check Text ( C-7818r283743_chk )

With the assistance of the DNS Administrator, identify all of the TSIG keys used by the BIND 9.x implementation.

Identify the account that the "named" process is running as:

# ps -ef | grep named
named 3015 1 0 12:59 ? 00:00:00 /usr/sbin/named -u named -t /var/named/chroot

With the assistance of the DNS Administrator, determine the location of the TSIG keys used by the BIND 9.x implementation.

# ls –al
-rw-------. 1 named named 76 May 10 20:35 tsig-example.key

If any of the TSIG keys are not owned by the above account, this is a finding.

Fix Text (F-7818r283744_fix)
Change the ownership of the TSIG keys to the named process is running as. # chown .