UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Permissions on critical UNIX name server files are not as restrictive as required.


Overview

Finding ID Version Rule ID IA Controls Severity
V-3620 DNS4470 SV-3620r1_rule ECCD-1 ECCD-2 Medium
Description
Weak permissions could allow an intruder to view or modify zone, configuration and/or program files.
STIG Date
BIND DNS STIG 2014-04-01

Details

Check Text ( C-3465r1_chk )
Using the ls –l command from the directory containing the core BIND files, check that the permissions for the files listed are at least as restrictive as those listed:

named.conf - owner: root, group: dnsgroup, permissions: 640
named.pid - owner: root, group: dnsgroup, permissions: 600
root hints - owner: root, group: dnsgroup, permissions: 640
master zone file - owner: root, group: dnsgroup, permissions: 640
slave zone file - owner: root, group: dnsgroup, permissions: 660

The name of the root hints file is defined in named.conf. Common names for the file are root.hints, named.cache, or db.cache.

Fix Text (F-3551r1_fix)
The SA should modify permissions so that they are at least as restrictive as specified in the DNS STIG.