UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Users or processes other than the DNS software administrator and the DNS software PID have read access to the DNS software configuration files and/or users other than the DNS software administrator have write access to these files.


Overview

Finding ID Version Rule ID IA Controls Severity
V-4477 DNS0430 SV-4477r2_rule ECCD-1 ECCD-2 Medium
Description
Weak permissions on key DNS configuration files could allow an intruder to view or modify DNS name server configuration files.
STIG Date
BIND DNS STIG 2014-04-01

Details

Check Text ( C-46501r1_chk )
UNIX

Instruction: The reviewer must work with the SA to obtain the username and groupname of the DNS software administrator and the username running the named daemon process.

In the presence of the reviewer, the SA should enter the following command to obtain the owner of the named process:

ps –ef | grep named

There are different ways (i.e., password/group file, NIS+, etc.) to obtain the DNS software administrator’s username and groupname, the reviewer is to work with the SA to obtain this information based on the configuration of the site’s UNIX OS.

In the presence of the reviewer, the SA should enter the following command while in the directory containing the DNS configuration files:

ls –l /etc/named.conf

If the DNS configuration files have permissions that allow write access to anyone beyond the DNS software administrator or permissions that allow read access to anyone beyond the owner of the named process or the DNS software administrator then this is a finding.

Windows

For ISC BIND:
Instruction: The reviewer must work with the SA to obtain the username and groupname of the DNS software administrator and the owner of the named.exe or dns.exe or dns.exe program.

In the presence of the reviewer, the SA should right-click on the named.exe or dns.exe file and select Properties | Security tab | Advanced | Owner tab.

The reviewer should ask the SA for the location of the ISC BIND named.conf/zone files. For each DNS configuration file, right-click on the file and select Properties | Security tab.

If the DNS configuration files have permissions that allow write access to anyone beyond the DNS software administrator or permissions that allow read access to anyone beyond the owner of the named process or the DNS software administrator then this is a finding.

For Windows DNS:

Open the DNS management console and expand the Forward Lookup Zones. Right click on each zone and select Properties. Select the Security tab.

In order to accommodate Secure Dynamic Updates the “Authenticated Users” group must have Create/Delete Child objects permission.

If the DNS configuration files have permissions that allow write access to anyone beyond the DNS software administrator or permissions other than those needed to accommodate Secure Dynamic Updates, then this is a finding.

If the DNS configuration files have permissions that allow read access, other than those needed to accommodate Secure Dynamic Updates, beyond the DNS system administrator or the owner of dns.exe, then this is a finding.


Fix Text (F-44112r1_fix)
The SA should modify permissions of the DNS name server configuration files so that only the DNS software administrator and the DNS software PID have read access to the DNS software configuration files.

The SA should modify permission to the DNS configuration files to allow “Authenticated Users” to have Create/Delete Child Object permission to support Secure Dynamic Updates.

The SA should modify permission to limit all other write
access to the DNS configuration files to only the DNS software administrator.