UCF STIG Viewer Logo

Entries in the name server logs do not contain timestamps and severity information.


Overview

Finding ID Version Rule ID IA Controls Severity
V-4490 DNS0495 SV-4490r2_rule ECAR-1 ECAR-2 ECAR-3 ECSC-1 Low
Description
Forensic analysis of security incidents and day-to-day monitoring are substantially more difficult if there are no timestamps on log entries.
STIG Date
Windows DNS 2015-12-28

Details

Check Text ( C-3554r1_chk )
BIND

Instruction: Based on the logging statement in named.conf, the reviewer can determine where the DNS logs are located. If there logging is not configured, then this is a finding. These logs (which in many cases are likely to be the system logs), should be viewed using the UNIX cat or tail commands, a text editor, or – in the case of Windows – the “Event Viewer.” When examining the logs, the reviewer should ensure that entries have timestamps and severity codes. If timestamps and severity codes are not found on one or more entries, then this is a finding.

logging {
channel channel_name
file path_name | syslog syslog_facility
severity (critical | error | warning |
notice | info | debug [level]| dynamic);]
print-severity yes/no;
print-time yes/no;
};
category category_name {
channel_name ; [ channel_name ; …
};
};

Instruction: If the DNS entries in the logs do not note their severity (i.e., critical, error, warning, notice, or info), then this constitutes a finding.

Windows DNS

Windows DNS software adds timestamps and severity information by default.

In cases in which the name server is not running BIND or Windows DNS, the reviewer must still examine the configuration and its documentation to validate this requirement.
Fix Text (F-4375r1_fix)
The DNS software administrator should configure the DNS software to add timestamps and severity information to each entry in all logs. Configuration details for BIND may be found in the DNS STIG Section 4.2.5.