Permissions on critical UNIX name server files are not as restrictive as required.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-3620 | DNS4470 | SV-3620r1_rule | ECCD-1 ECCD-2 | Medium |
| Description |
|---|
| Weak permissions could allow an intruder to view or modify zone, configuration and/or program files. |
| STIG | Date |
|---|---|
| BIND DNS STIG | 2015-10-01 |
Details
| Check Text ( C-3465r1_chk ) |
|---|
| Using the ls –l command from the directory containing the core BIND files, check that the permissions for the files listed are at least as restrictive as those listed: named.conf - owner: root, group: dnsgroup, permissions: 640 named.pid - owner: root, group: dnsgroup, permissions: 600 root hints - owner: root, group: dnsgroup, permissions: 640 master zone file - owner: root, group: dnsgroup, permissions: 640 slave zone file - owner: root, group: dnsgroup, permissions: 660 The name of the root hints file is defined in named.conf. Common names for the file are root.hints, named.cache, or db.cache. |
| Fix Text (F-3551r1_fix) |
|---|
| The SA should modify permissions so that they are at least as restrictive as specified in the DNS STIG. |