Entries in the name server logs do not contain timestamps and severity information.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-4490	DNS0495	SV-4490r1_rule	ECAR-1 ECAR-2 ECAR-3 ECSC-1	Low

Description
Forensic analysis of security incidents and day-to-day monitoring are substantially more difficult if there are no timestamps on log entries.

STIG	Date
BIND DNS	2013-07-08

Details

Check Text ( C-3554r1_chk )
BIND Instruction: Based on the logging statement in named.conf, the reviewer can determine where the DNS logs are located. If there logging is not configured, then this is a finding. These logs (which in many cases are likely to be the system logs), should be viewed using the UNIX cat or tail commands, a text editor, or – in the case of Windows – the “Event Viewer.” When examining the logs, the reviewer should ensure that entries have timestamps and severity codes. If timestamps and severity codes are not found on one or more entries, then this is a finding. logging { channel channel_name file path_name \| syslog syslog_facility severity (critical \| error \| warning \| notice \| info \| debug [level]\| dynamic);] print-severity yes/no; print-time yes/no; }; category category_name { channel_name ; [ channel_name ; … }; }; Instruction: If the DNS entries in the logs do not note their severity (i.e., critical, error, warning, notice, or info), then this constitutes a finding. Windows DNS Windows DNS software adds timestamps and severity information by default. In cases in which the name server is not running BIND or Windows DNS, the reviewer must still examine the configuration and its documentation to validate this requirement.

Check Text ( C-3554r1_chk )

BIND

Instruction: Based on the logging statement in named.conf, the reviewer can determine where the DNS logs are located. If there logging is not configured, then this is a finding. These logs (which in many cases are likely to be the system logs), should be viewed using the UNIX cat or tail commands, a text editor, or – in the case of Windows – the “Event Viewer.” When examining the logs, the reviewer should ensure that entries have timestamps and severity codes. If timestamps and severity codes are not found on one or more entries, then this is a finding.

logging {
channel channel_name
file path_name | syslog syslog_facility
severity (critical | error | warning |
notice | info | debug [level]| dynamic);]
print-severity yes/no;
print-time yes/no;
};
category category_name {
channel_name ; [ channel_name ; …
};
};

Instruction: If the DNS entries in the logs do not note their severity (i.e., critical, error, warning, notice, or info), then this constitutes a finding.

Windows DNS

Windows DNS software adds timestamps and severity information by default.

In cases in which the name server is not running BIND or Windows DNS, the reviewer must still examine the configuration and its documentation to validate this requirement.

Fix Text (F-4375r1_fix)
The DNS software administrator should configure the DNS software to add timestamps and severity information to each entry in all logs. Configuration details for BIND may be found in the DNS STIG Section 4.2.5.