The read and write access to a TSIG key file used by a BIND 9.x server must be restricted to only the account that runs the name server software.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-207565 | BIND-9X-001112 | SV-207565r612253_rule | Medium |
| Description |
|---|
| Weak permissions of a TSIG key file could allow an adversary to modify the file, thus defeating the security objective. |
| STIG | Date |
|---|---|
| BIND 9.x Security Technical Implementation Guide | 2021-06-23 |
Details
| Check Text ( C-7820r283749_chk ) |
|---|
| Verify permissions assigned to the TSIG keys enforce read-write access to the key owner and deny access to group or system users: With the assistance of the DNS Administrator, determine the location of the TSIG keys used by the BIND 9.x implementation: # ls –al -rw-------. 1 named named 76 May 10 20:35 tsig-example.key If the key files are more permissive than 600, this is a finding. |
| Fix Text (F-7820r283750_fix) |
|---|
| Change the permissions of the TSIG key files: # chmod 600 |