The DNS implementation must notify the appropriate individuals when accounts are created.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-33838	SRG-NET-000006-DNS-000007	SV-44291r1_rule		Medium

Description
As most accounts in the domain name system are privileged or system level accounts, account management and distribution is vital to the security of the DNS implementation and infrastructure. If an attacker compromises an account, the entire DNS infrastructure, not to mention the hosts on the network, is at risk. In order to detect and respond to events affecting user accessibility and DNS service processing, the system must audit account creation and, as required, notify the appropriate individuals, so they can investigate the event to ensure its validity. Such a capability greatly reduces the risk that DNS accessibility will be negatively affected for extended periods of time and provides logging that can be used for forensic purposes.

Description

As most accounts in the domain name system are privileged or system level accounts, account management and distribution is vital to the security of the DNS implementation and infrastructure. If an attacker compromises an account, the entire DNS infrastructure, not to mention the hosts on the network, is at risk. In order to detect and respond to events affecting user accessibility and DNS service processing, the system must audit account creation and, as required, notify the appropriate individuals, so they can investigate the event to ensure its validity. Such a capability greatly reduces the risk that DNS accessibility will be negatively affected for extended periods of time and provides logging that can be used for forensic purposes.

STIG	Date
Domain Name System (DNS) Security Requirements Guide	2012-10-24

Details

Check Text ( C-41901r1_chk )
Review the DNS system and/or configuration files to determine if the system is configured to notify the appropriate individuals when an account has been created. If there is not a viewable configurable option, request the administrator create an account and validate that notifications are sent to the appropriate individuals. If the appropriate individuals are not notified upon account creation, this is a finding.

Check Text ( C-41901r1_chk )

Review the DNS system and/or configuration files to determine if the system is configured to notify the appropriate individuals when an account has been created. If there is not a viewable configurable option, request the administrator create an account and validate that notifications are sent to the appropriate individuals. If the appropriate individuals are not notified upon account creation, this is a finding.

Fix Text (F-37768r1_fix)
Configure the DNS system to notify appropriate individuals upon account creation. The account management functions will be performed by the DNS application if the capability exists. If the capability does not exist, the underlying platform's account management system may be used.