The DNS software must log success and failure events when starting and stopping of the name server service daemon, zone transfers, zone update notifications, and dynamic updates.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-4488	DNS0485	SV-4488r3_rule	ECAT-1 ECAT-2	High

Description
Logging must be comprehensive to be useful for both intrusion monitoring and security investigations. Setting logging at the severity notice should capture most relevant events without requiring unacceptable levels of data storage. The severity levels info and debug are also available to organizations that require additional logging for certain events or applications.

STIG	Date
BIND DNS STIG	2015-10-01

Details

Check Text ( C-3547r2_chk )
The default level for logging was modified in BIND version 9.7. Starting at that version logging is set to debugging level by default. Therefore, if the logging statement is missing AND the version is 9.7 or more recent, this is NOT a finding. For a BIND configuration for versions before 9.7, if a logging statement is present, it will have the form: logging { channel channel_name file path_name \| syslog syslog_facility severity (critical \| error \| warning \| notice \| info \| debug [level]\| dynamic);] print-severity yes/no; print-time yes/no; }; category category_name { channel_name ; [ channel_name ; … }; }; Instruction: If a logging statement is not present and the BIND version is prior to 9.7, then this is a finding. The reviewer will look at the severity clause in each of the channel phrases of the logging statement. It should read either notice, info or debug for each defined channel (although debug would not typically appear unless the review is concurrent with a troubleshooting effort). If the logging statement is not properly configured, then this is a finding. NOTE: Debug level may cause operational issues due to log file sizes and is therefore not a requirement for anything other than troubleshooting purposes. Windows DNS Instruction: For a Windows 2003 DNS configuration: On the “Logging Tab” or “Debug Logging” tab of the “DNS Server Properties” dialog box, if “Log Packets for “Notify” and “Update” are not checked, then this is a finding. Mitigation: A violation of this requirement can have one of two severity levels depending upon the extent of the violation. If no logging exists, then the discrepancy would be a Category I finding. If some logging exists, but not for all of the events listed, then the discrepancy would be a Category II finding.

Check Text ( C-3547r2_chk )

The default level for logging was modified in BIND version 9.7. Starting at that version logging is set to debugging level by default. Therefore, if the logging statement is missing AND the version is 9.7 or more recent, this is NOT a finding.

For a BIND configuration for versions before 9.7, if a logging statement is present, it will have the form:

logging {
channel channel_name
file path_name | syslog syslog_facility
severity (critical | error | warning |
notice | info | debug [level]| dynamic);]
print-severity yes/no;
print-time yes/no;
};

category category_name {
channel_name ; [ channel_name ; …
};
};

Instruction: If a logging statement is not present and the BIND version is prior to 9.7, then this is a finding. The reviewer will look at the severity clause in each of the channel phrases of the logging statement. It should read either notice, info or debug for each defined channel (although debug would not typically appear unless the review is concurrent with a troubleshooting effort). If the logging statement is not properly configured, then this is a finding.

NOTE: Debug level may cause operational issues due to log file sizes and is therefore not a requirement for anything other than troubleshooting purposes.

Windows DNS

Instruction: For a Windows 2003 DNS configuration: On the “Logging Tab” or “Debug Logging” tab of the “DNS Server Properties” dialog box, if “Log Packets for “Notify” and “Update” are not checked, then this is a finding.

Mitigation:
A violation of this requirement can have one of two severity levels depending upon the extent of the violation. If no logging exists, then the discrepancy would be a Category I finding. If some logging exists, but not for all of the events listed, then the discrepancy would be a Category II finding.

Fix Text (F-4373r1_fix)
The DNS software administrator will configure the DNS software to log, at a minimum, success and failure of the following events: - start and stop of the name server service or daemon - zone transfers - zone update notifications - dynamic updates