The DNS implementation must automatically audit account disabling actions.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-33847	SRG-NET-000009-DNS-000010	SV-44300r1_rule		Medium

Description
As most accounts in the DNS are privileged or system level accounts, account management and distribution is vital to the security of the DNS implementation and infrastructure. If an attacker compromises an account, the entire DNS infrastructure, not to mention the hosts on the network, is at risk. Authentication for user or administrative access to the system is required at all times. Accounts are utilized for identifying individual application users or for identifying application processes themselves. When application accounts are disabled, user or service accessibility may be affected. In order to detect and respond to events affecting user accessibility and DNS service processing, the system must audit account disabling actions and, as required, notify the appropriate individuals, so they can investigate the event to ensure its validity. Such a capability greatly reduces the risk that DNS accessibility will be negatively affected for extended periods of time and provides logging that can be used for forensic purposes.

Description

As most accounts in the DNS are privileged or system level accounts, account management and distribution is vital to the security of the DNS implementation and infrastructure. If an attacker compromises an account, the entire DNS infrastructure, not to mention the hosts on the network, is at risk. Authentication for user or administrative access to the system is required at all times. Accounts are utilized for identifying individual application users or for identifying application processes themselves. When application accounts are disabled, user or service accessibility may be affected. In order to detect and respond to events affecting user accessibility and DNS service processing, the system must audit account disabling actions and, as required, notify the appropriate individuals, so they can investigate the event to ensure its validity. Such a capability greatly reduces the risk that DNS accessibility will be negatively affected for extended periods of time and provides logging that can be used for forensic purposes.

STIG	Date
Domain Name System (DNS) Security Requirements Guide	2012-10-24

Details

Check Text ( C-41904r1_chk )
Review the DNS system and/or configuration files to determine if account disabling is being audited and an audit record is generated. If there is not a viewable, configurable option, request the administrator disable an account and view the logs generated to validate the account disabling is logged. If account disabling is not audited, this is a finding.

Fix Text (F-37777r1_fix)
Configure the DNS system to audit all account disabling actions. Auditing functions will be performed by the DNS application if the capability exists. If the capability does not exist the underlying platform's audit system may be used.