UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Inadequate file permissions on BIND name servers.


Overview

Finding ID Version Rule ID IA Controls Severity
V-12966 DNS4480 SV-13534r1_rule ECCD-1 ECCD-2 Medium
Description
Weak permissions could allow an intruder to view or modify zone, configuration and/or program files.
STIG Date
BIND DNS 2013-01-10

Details

Check Text ( C-9625r1_chk )
On BIND name servers, the following permissions must be set:

named.run - owner: root, group: dnsgroup, permissions: 660
named_dump.db - owner: root, group: dnsgroup, permissions: 660
ndc (FIFO) - owner: root, group: dnsgroup, permissions: 660
ndc.d (directory containing ndc) - owner: root, group: dnsgroup, permissions: 700

The following must be set on log files:
any log file - owner: dnsuser, group: dnsgroup, permissions: 660

The following must be set on TSIG keys:

unique to each key - owner: dnsuser, group: dnsgroup, permissions: 400
Fix Text (F-12412r1_fix)
The SA will ensure that the file permissions on BIND 8 files as well as the log and TSIG key files are set in accordance with the DNS STIG requirements.