STIGQter: STIG Summary: BIND 9.x Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 22 Jan 2021:

The read and write access to a TSIG key file used by a BIND 9.x server must be restricted to only the account that runs the name server software.

DISA Rule

SV-207565r612253_rule

Vulnerability Number

V-207565

Group Title

SRG-APP-000176-DNS-000019

Rule Version

BIND-9X-001112

Severity

CAT II

CCI(s)

• CCI-000186 - The information system, for PKI-based authentication, enforces authorized access to the corresponding private key.

Weight

10

Fix Recommendation

Change the permissions of the TSIG key files:

# chmod 600 <TSIG_key_file>

Check Contents

Verify permissions assigned to the TSIG keys enforce read-write access to the key owner and deny access to group or system users:

With the assistance of the DNS Administrator, determine the location of the TSIG keys used by the BIND 9.x implementation:

# ls –al <TSIG_Key_Location>
-rw-------. 1 named named 76 May 10 20:35 tsig-example.key

If the key files are more permissive than 600, this is a finding.

Vulnerability Number

V-207565

Documentable

False

Rule Version

BIND-9X-001112

Severity Override Guidance

Verify permissions assigned to the TSIG keys enforce read-write access to the key owner and deny access to group or system users:

With the assistance of the DNS Administrator, determine the location of the TSIG keys used by the BIND 9.x implementation:

# ls –al <TSIG_Key_Location>
-rw-------. 1 named named 76 May 10 20:35 tsig-example.key

If the key files are more permissive than 600, this is a finding.

Check Content Reference

M

Target Key

2926

Comments