Permissions on files containing DNS encryption keys are inadequate.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-4475	DNS0420	SV-4475r2_rule	ECCD-1 ECCD-2 ECSC-1	Medium

Description
Weak permissions could allow an intruder to view or modify DNS encryption key files. These keys should never be readable by Other or Everyone.

STIG	Date
BIND DNS STIG	2015-10-01

Details

Check Text ( C-3493r1_chk )
UNIX Instruction: The reviewer must work with the SA to obtain the user name running the named process. In the presence of the reviewer, the SA should enter the following command to obtain the owner of the named process: ps –ef \| grep named The location to the encryption keys can be found by examining the keys directive in the /etc/named.conf file. In the presence of the reviewer, the SA should enter the following command while in the directory containing the DNS encryption keys: ls –la ‘encryption_key_file’ If the DNS encryption key files have permissions weaker than 640, then this is a finding. Windows with BIND Instruction: The reviewer must work with the SA to obtain the owner of the named.exe. In the presence of the reviewer, the SA should right-click on the named.exe file and select Properties \| Security tab \| Advanced \| Owner tab. For each DNS encryption key file listed in c:\named\etc\named.conf keys directive , right-click on the file and select Properties \| Security tab. If the DNS encryption key files have permissions that allow read access to anyone beyond the owner of the named.exe, then this is a finding.

Check Text ( C-3493r1_chk )

UNIX

Instruction: The reviewer must work with the SA to obtain the user name running the named process.

In the presence of the reviewer, the SA should enter the following command to obtain the owner of the named process:

ps –ef | grep named

The location to the encryption keys can be found by examining the keys directive in the /etc/named.conf file. In the presence of the reviewer, the SA should enter the following command while in the directory containing the DNS encryption keys:

ls –la ‘encryption_key_file’

If the DNS encryption key files have permissions weaker than 640, then this is a finding.

Windows with BIND

Instruction: The reviewer must work with the SA to obtain the owner of the named.exe.
In the presence of the reviewer, the SA should right-click on the named.exe file and select Properties | Security tab | Advanced | Owner tab.

For each DNS encryption key file listed in c:\named\etc\named.conf keys directive , right-click on the file and select Properties | Security tab.

If the DNS encryption key files have permissions that allow read access to anyone beyond the owner of the named.exe, then this is a finding.

Fix Text (F-4360r1_fix)
The SA should modify permissions of the files containing DNS encryption keys so that only the DNS software process ID (PID) has read access to these files.