UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The SA has not configured BIND in a chroot(ed) directory structure.


Overview

Finding ID Version Rule ID IA Controls Severity
V-12967 DNS4445 SV-13535r2_rule ECLP-1 Low
Description
With any network service, there is the potential that an attacker can exploit a vulnerability within the program that allows the attacker to gain control of the process and even run system commands with that control. One possible defense against this attack is to limit the software to particular quarantined areas of the file system, memory or both. This effectively restricts the service so that it will not have access to the full file system. If such a defense were in place, then even if an attacker gained control of the process, the attacker would be unable to reach other commands or files on the system. This approach often is referred to as a padded cell, jail, or sandbox. All of these terms allude to the fact that the software is contained in an area where it cannot harm either itself or others. A more technical term is a chroot(ed) directory structure. BIND should be configured to run in a padded cell or chroot(ed) directory structure if supported by the operating system
STIG Date
BIND DNS STIG 2015-01-05

Details

Check Text ( C-9626r1_chk )
Review the startup file and make sure -t option is included:

Edit the startup files to start named with the -t option and option argument: -t /var/named. Similarly to syslogd, many modern versions of Unix start named from /etc/rc.d/init.d/named.
Fix Text (F-12413r1_fix)
The SA will ensure BIND is configured in a chroot(ed) directory structure.