Inadequate file permissions on BIND name servers.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-12966 | DNS4480 | SV-13534r1_rule | ECCD-1 ECCD-2 | Medium |
| Description |
|---|
| Weak permissions could allow an intruder to view or modify zone, configuration and/or program files. |
| STIG | Date |
|---|---|
| BIND DNS | 2013-01-10 |
Details
| Check Text ( C-9625r1_chk ) |
|---|
| On BIND name servers, the following permissions must be set: named.run - owner: root, group: dnsgroup, permissions: 660 named_dump.db - owner: root, group: dnsgroup, permissions: 660 ndc (FIFO) - owner: root, group: dnsgroup, permissions: 660 ndc.d (directory containing ndc) - owner: root, group: dnsgroup, permissions: 700 The following must be set on log files: any log file - owner: dnsuser, group: dnsgroup, permissions: 660 The following must be set on TSIG keys: unique to each key - owner: dnsuser, group: dnsgroup, permissions: 400 |
| Fix Text (F-12412r1_fix) |
|---|
| The SA will ensure that the file permissions on BIND 8 files as well as the log and TSIG key files are set in accordance with the DNS STIG requirements. |