UCF STIG Viewer Logo

It is possible to obtain a command shell by logging on to the DNS user account.


Overview

Finding ID Version Rule ID IA Controls Severity
V-3619 DNS4460 SV-3619r1_rule ECLP-1 Low
Description
If an intruder gains access to a command shell, the intruder may be able to execute unauthorized commands.
STIG Date
BIND DNS STIG 2015-10-01

Details

Check Text ( C-3464r1_chk )
The SA should enter the following command (this command assumes that named is running as user dnsuser):

grep dnsuser /etc/passwd

Based on the command output, the reviewer can identify whether a shell exists for dnsuser. The shell should be /dev/null or /bin/false. If it is a legitimate shell, then this is a finding.
Fix Text (F-3550r1_fix)
The SA should edit /etc/passwd and change the shell of the DNS user account to /bin/false, /dev/null, or an alternative producing a similar effect.