Inadequate file permissions on BIND name servers.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-12966 | DNS4480 | SV-13534r3_rule | ECCD-1 ECCD-2 | Medium |
| Description |
|---|
| Weak permissions could allow an intruder to view or modify zone, configuration and/or program files. |
| STIG | Date |
|---|---|
| BIND DNS STIG | 2015-10-01 |
Details
| Check Text ( C-9625r2_chk ) |
|---|
| On BIND name servers, the following minimum permissions, or more restrictive, must be set: named.run - owner: root, group: dnsgroup, permissions: 660 named_dump.db - owner: root, group: dnsgroup, permissions: 660 ndc (FIFO) - owner: root, group: dnsgroup, permissions: 660 ndc.d (directory containing ndc) - owner: root, group: dnsgroup, permissions: 700 The following must be set on log files: any log file - owner: dnsuser, group: dnsgroup, permissions: 660 The following must be set on TSIG keys: unique to each key - owner: dnsuser, group: dnsgroup, permissions: 400 More hardened permissions are recommended and would not be considered a finding if more restrictive permissions are set (i.e., setting unique to each key - owner: dnsuser, group: dnsgroup, permissions: 440) If permissions are not set to the required minimum permissions specified above, or more restrictive, this is a finding. |
| Fix Text (F-12412r1_fix) |
|---|
| The SA will ensure that the file permissions on BIND 8 files as well as the log and TSIG key files are set in accordance with the DNS STIG requirements. |