STIGQter: STIG Summary: BIND 9.x Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 22 Jan 2021:

The TSIG keys used with the BIND 9.x implementation must be group owned by a privileged account.

DISA Rule

SV-207564r612253_rule

Vulnerability Number

V-207564

Group Title

SRG-APP-000176-DNS-000018

Rule Version

BIND-9X-001111

Severity

CAT II

CCI(s)

• CCI-000186 - The information system, for PKI-based authentication, enforces authorized access to the corresponding private key.

Weight

10

Fix Recommendation

Change the group ownership of the TSIG keys to the named process group.

# chgrp <named_proccess_group> <TSIG_key_file>

Check Contents

With the assistance of the DNS Administrator, identify all of the TSIG keys used by the BIND 9.x implementation.

Identify the account that the "named" process is running as:

# ps -ef | grep named
named 3015 1 0 12:59 ? 00:00:00 /usr/sbin/named -u named -t /var/named/chroot

With the assistance of the DNS Administrator, determine the location of the TSIG keys used by the BIND 9.x implementation.

# ls –al <TSIG_Key_Location>
-rw-------. 1 named named 76 May 10 20:35 tsig-example.key

If any of the TSIG keys are not group owned by the above account, this is a finding.

Vulnerability Number

V-207564

Documentable

False

Rule Version

BIND-9X-001111

Severity Override Guidance

With the assistance of the DNS Administrator, identify all of the TSIG keys used by the BIND 9.x implementation.

Identify the account that the "named" process is running as:

# ps -ef | grep named
named 3015 1 0 12:59 ? 00:00:00 /usr/sbin/named -u named -t /var/named/chroot

With the assistance of the DNS Administrator, determine the location of the TSIG keys used by the BIND 9.x implementation.

# ls –al <TSIG_Key_Location>
-rw-------. 1 named named 76 May 10 20:35 tsig-example.key

If any of the TSIG keys are not group owned by the above account, this is a finding.

Check Content Reference

M

Target Key

2926

Comments