Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
It is possible to obtain a command shell by logging on to the DNS user account.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-3619 | DNS4460 | SV-3619r1_rule | ECLP-1 | Low |
| Description |
|---|
| If an intruder gains access to a command shell, the intruder may be able to execute unauthorized commands. |
| STIG | Date |
|---|---|
| BIND DNS STIG | 2015-10-01 |
Details
| Check Text ( C-3464r1_chk ) |
|---|
| The SA should enter the following command (this command assumes that named is running as user dnsuser): grep dnsuser /etc/passwd Based on the command output, the reviewer can identify whether a shell exists for dnsuser. The shell should be /dev/null or /bin/false. If it is a legitimate shell, then this is a finding. |
| Fix Text (F-3550r1_fix) |
|---|
| The SA should edit /etc/passwd and change the shell of the DNS user account to /bin/false, /dev/null, or an alternative producing a similar effect. |