STIGQter: STIG Summary: BIND 9.x Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 22 Jan 2021:

A BIND 9.x server implementation must be configured to allow DNS administrators to audit all DNS server components, based on selectable event criteria, and produce audit records within all DNS server components that contain information for failed security verification tests, information to establish the outcome and source of the events, any information necessary to determine cause of failure, and any information necessary to return to operations with least disruption to mission processes.

DISA Rule

SV-207539r612253_rule

Vulnerability Number

V-207539

Group Title

SRG-APP-000089-DNS-000004

Rule Version

BIND-9X-001010

Severity

CAT III

CCI(s)

• CCI-001294 - The information system notifies organization-defined personnel or roles of failed security verification tests.
• CCI-001665 - The information system preserves organization-defined system state information in the event of a system failure.
• CCI-000133 - The information system generates audit records containing information that establishes the source of the event.
• CCI-000134 - The information system generates audit records containing information that establishes the outcome of the event.
• CCI-000169 - The information system provides audit record generation capability for the auditable events defined in AU-2 a. at organization-defined information system components.
• CCI-001914 - The information system provides the capability for organization-defined individuals or roles to change the auditing to be performed on organization-defined information system components based on organization-defined selectable event criteria within organization-defined time thresholds.

Weight

10

Fix Recommendation

Configure the logging statement in the "named.conf" file:

logging {
channel <channel_name> {
file "<file_name>";
severity info;
};
category default { <channel_name>; };
};

Replace <channel_name> and <file_name> with names that distinctively identify the purpose of the channel and the log file.

Restart the BIND 9.x process.

Check Contents

Verify the name server is configured to generate audit records:

Inspect the "named.conf" file for the following:

logging {
channel channel_name {
severity info;
};
category default { channel_name; };
};

If there is no "logging" statement, this is a finding.

If the "logging" statement does not contain a "channel", this is a finding.

If the "logging" statement does not contain a "category" that utilizes a "channel", this is a finding.

Vulnerability Number

V-207539

Documentable

False

Rule Version

BIND-9X-001010

Severity Override Guidance

Verify the name server is configured to generate audit records:

Inspect the "named.conf" file for the following:

logging {
channel channel_name {
severity info;
};
category default { channel_name; };
};

If there is no "logging" statement, this is a finding.

If the "logging" statement does not contain a "channel", this is a finding.

If the "logging" statement does not contain a "category" that utilizes a "channel", this is a finding.

Check Content Reference

M

Target Key

2926

Comments