Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-4490 | DNS0495 | SV-4490r2_rule | ECAR-1 ECAR-2 ECAR-3 ECSC-1 | Low |
Description |
---|
Forensic analysis of security incidents and day-to-day monitoring are substantially more difficult if there are no timestamps on log entries. |
STIG | Date |
---|---|
BIND DNS STIG | 2015-01-05 |
Check Text ( C-3554r1_chk ) |
---|
BIND Instruction: Based on the logging statement in named.conf, the reviewer can determine where the DNS logs are located. If there logging is not configured, then this is a finding. These logs (which in many cases are likely to be the system logs), should be viewed using the UNIX cat or tail commands, a text editor, or – in the case of Windows – the “Event Viewer.” When examining the logs, the reviewer should ensure that entries have timestamps and severity codes. If timestamps and severity codes are not found on one or more entries, then this is a finding. logging { channel channel_name file path_name | syslog syslog_facility severity (critical | error | warning | notice | info | debug [level]| dynamic);] print-severity yes/no; print-time yes/no; }; category category_name { channel_name ; [ channel_name ; … }; }; Instruction: If the DNS entries in the logs do not note their severity (i.e., critical, error, warning, notice, or info), then this constitutes a finding. Windows DNS Windows DNS software adds timestamps and severity information by default. In cases in which the name server is not running BIND or Windows DNS, the reviewer must still examine the configuration and its documentation to validate this requirement. |
Fix Text (F-4375r1_fix) |
---|
The DNS software administrator should configure the DNS software to add timestamps and severity information to each entry in all logs. Configuration details for BIND may be found in the DNS STIG Section 4.2.5. |