The BIND 9.x server implementation must be configured with a channel to send audit records to a remote syslog.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-207546	BIND-9X-001040	SV-207546r879582_rule		Low

Description
Protection of log data includes assuring log data is not accidentally lost or deleted. Backing up audit records to a different system or onto separate media than the system being audited on a defined frequency helps to assure, in the event of a catastrophic system failure, the audit records will be retained. This helps to ensure a compromise of the information system being audited does not also result in a compromise of the audit records.

Description

Protection of log data includes assuring log data is not accidentally lost or deleted. Backing up audit records to a different system or onto separate media than the system being audited on a defined frequency helps to assure, in the event of a catastrophic system failure, the audit records will be retained. This helps to ensure a compromise of the information system being audited does not also result in a compromise of the audit records.

STIG	Date
BIND 9.x Security Technical Implementation Guide	2024-02-15

Details

Check Text ( C-7801r744224_chk )
Verify that the BIND 9.x server is configured to send audit logs to the syslog service. NOTE: syslog and local file channel must be defined for every defined category. Inspect the "named.conf" file for the following: logging { channel { syslog ; }; category { ; }; If a logging channel is not defined for syslog, this is a finding. If a category is not defined to send messages to the syslog channel, this is a finding. Ensure audit records are forwarded to a remote server: # grep "\.\" /etc/syslog.conf \|grep "@" \| grep -v "^#" (for syslog) or: # grep "\.\" /etc/rsyslog.conf \| grep "@" \| grep -v "^#" (for rsyslog) If neither of these lines exist, this is a finding.

Check Text ( C-7801r744224_chk )

Verify that the BIND 9.x server is configured to send audit logs to the syslog service.

NOTE: syslog and local file channel must be defined for every defined category.

Inspect the "named.conf" file for the following:

logging {
channel {
syslog ;
};

category { ; };

If a logging channel is not defined for syslog, this is a finding.

If a category is not defined to send messages to the syslog channel, this is a finding.

Ensure audit records are forwarded to a remote server:

# grep "\*.\*" /etc/syslog.conf |grep "@" | grep -v "^#" (for syslog)
or:
# grep "\*.\*" /etc/rsyslog.conf | grep "@" | grep -v "^#" (for rsyslog)

If neither of these lines exist, this is a finding.

Fix Text (F-7801r283693_fix)
Configure the "logging" statement to send audit logs to the syslog daemon. logging { channel { syslog ; }; category { ; }; }; Note: It is recommended to use a local syslog facility (i.e. local0 -7) when configuring the syslog channel. Restart the BIND 9.x process. Configure the (r)syslog daemon to send audit logs to a remote server.