STIGQter: STIG Summary: BIND 9.x Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 22 Jan 2021:

The BIND 9.x server implementation must be configured with a channel to send audit records to a remote syslog.

DISA Rule

SV-207546r612253_rule

Vulnerability Number

V-207546

Group Title

SRG-APP-000125-DNS-000012

Rule Version

BIND-9X-001040

Severity

CAT III

CCI(s)

• CCI-001348 - The information system backs up audit records on an organization-defined frequency onto a different system or system component than the system or component being audited.

Weight

10

Fix Recommendation

Configure the "logging" statement to send audit logs to the syslog daemon.

logging {
channel <syslog_channel> {
syslog <syslog_facility>;
};
category <category_name> { <syslog_channel>; };
};

Note: It is recommended to use a local syslog facility (i.e. local0 -7) when configuring the syslog channel.

Restart the BIND 9.x process.

Configure the (r)syslog daemon to send audit logs to a remote server.

Check Contents

Verify that the BIND 9.x server is configured to send audit logs to the syslog service.

Inspect the "named.conf" file for the following:

logging {
channel <syslog_channel> {
syslog <syslog_facility>;
};

category <category_name> { <syslog_channel>; };

If a logging channel is not defined for syslog, this is a finding.

If a category is not defined to send messages to the syslog channel, this is a finding.

Ensure audit records are forwarded to a remote server:

# grep "\*.\*" /etc/syslog.conf |grep "@" | grep -v "^#" (for syslog)
or:
# grep "\*.\*" /etc/rsyslog.conf | grep "@" | grep -v "^#" (for rsyslog)

If neither of these lines exist, this is a finding.

Vulnerability Number

V-207546

Documentable

False

Rule Version

BIND-9X-001040

Severity Override Guidance

Verify that the BIND 9.x server is configured to send audit logs to the syslog service.

Inspect the "named.conf" file for the following:

logging {
channel <syslog_channel> {
syslog <syslog_facility>;
};

category <category_name> { <syslog_channel>; };

If a logging channel is not defined for syslog, this is a finding.

If a category is not defined to send messages to the syslog channel, this is a finding.

Ensure audit records are forwarded to a remote server:

# grep "\*.\*" /etc/syslog.conf |grep "@" | grep -v "^#" (for syslog)
or:
# grep "\*.\*" /etc/rsyslog.conf | grep "@" | grep -v "^#" (for rsyslog)

If neither of these lines exist, this is a finding.

Check Content Reference

M

Target Key

2926

Comments