UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

An integrity checking tool is not installed or not monitoring for modifications to the root.hints and named.conf files.


Overview

Finding ID Version Rule ID IA Controls Severity
V-4479 DNS0440 SV-4479r1_rule ECSC-1 Medium
Description
An integrity checking tool compares file and directory integrity to the baseline. It can alert the system administrator to unauthorized changes in files or directories. Unauthorized changes in files and directories can give a user unauthorized access to system resources. Undetected changes to DNS name server root hints and configuration files is the single greatest risk to the security and stability of the DNS name server. An integrity checking tool (e.g., Tripwire) aids in effectively monitoring and controlling changes to ensure improved security and system availability. This applies to both authoritative and caching name servers.
STIG Date
BIND DNS 2013-01-10

Details

Check Text ( C-3579r1_chk )
UNIX

Instruction: The reviewer must work with the SA to obtain the program name.

In the presence of the reviewer, the SA should enter the following command to confirm the integrity checking tool is installed and running:

ps –ef | grep process name

If an integrity checking tool is not installed and running, then this is a finding.

With the assistance of the SA, confirm that the integrity checking tool is monitoring for any modifications to the root hints and name server’s configuration (e.g., named.conf), if this is not the case, then this is a finding. If using ISC BIND name server software, common names for the root hints file are root.hints, named.cache, or db.cache. The name is configurable within the named.conf file. rndc.conf will be protected in the same manner.

Windows

Instruction: The reviewer must work with the SA to obtain the service name.

Instruction: The reviewer should examine the Windows Services GUI to identify started services (in Windows 2000/2003, right click on “My Computer” and select “Manage”. In the left windowpane, click on “Services and Applications”. A list of services is displayed in the right windowpane. Click on the “Status” column heading to sort by status. The started services will be grouped together). Also check the “Applications” tab of “Task Manager” for applications that do not run as a service (Simultaneously press Ctrl-Alt-Del keys and select the “Applications” tab). The reviewer should be able to determine if an integrity checking tool is installed and running.

If an integrity checking tool is not installed and running, then this is a finding.

With the assistance of the SA, confirm that the integrity checking tool is monitoring for any modifications to the root hints, which can be found C:/Windows/System32/DNS/cache.dns. In addition ensure the tool is checking the zone files. Active directory zone files are stored in the active directory database. The database can be found using the windows search feature and locating the ntds.dit file which is the database. For non-active directory zones, obtain the name of the zone from the DNS management console list of forward zones. Enter the zone name into the windows search and it will display the path to the actual zone files, normally found in a backup directory.

Fix Text (F-4364r1_fix)
The SA should install an integrity checking tool on the name server and configure the tool to monitor for any modifications to the root.hints and name server configuration files.