STIGQter: STIG Summary: BIND 9.x Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 22 Jan 2021:

The TSIG keys used with the BIND 9.x implementation must be owned by a privileged account.

DISA Rule

SV-207563r612253_rule

Vulnerability Number

V-207563

Group Title

SRG-APP-000176-DNS-000018

Rule Version

BIND-9X-001110

Severity

CAT II

CCI(s)

• CCI-000186 - The information system, for PKI-based authentication, enforces authorized access to the corresponding private key.

Weight

10

Fix Recommendation

Change the ownership of the TSIG keys to the named process is running as.

# chown <named_proccess_owner> <TSIG_key_file>.

Check Contents

With the assistance of the DNS Administrator, identify all of the TSIG keys used by the BIND 9.x implementation.

Identify the account that the "named" process is running as:

# ps -ef | grep named
named 3015 1 0 12:59 ? 00:00:00 /usr/sbin/named -u named -t /var/named/chroot

With the assistance of the DNS Administrator, determine the location of the TSIG keys used by the BIND 9.x implementation.

# ls –al <TSIG_Key_Location>
-rw-------. 1 named named 76 May 10 20:35 tsig-example.key

If any of the TSIG keys are not owned by the above account, this is a finding.

Vulnerability Number

V-207563

Documentable

False

Rule Version

BIND-9X-001110

Severity Override Guidance

With the assistance of the DNS Administrator, identify all of the TSIG keys used by the BIND 9.x implementation.

Identify the account that the "named" process is running as:

# ps -ef | grep named
named 3015 1 0 12:59 ? 00:00:00 /usr/sbin/named -u named -t /var/named/chroot

With the assistance of the DNS Administrator, determine the location of the TSIG keys used by the BIND 9.x implementation.

# ls –al <TSIG_Key_Location>
-rw-------. 1 named named 76 May 10 20:35 tsig-example.key

If any of the TSIG keys are not owned by the above account, this is a finding.

Check Content Reference

M

Target Key

2926

Comments