STIGQter STIGQter: STIG Summary: BIND 9.x Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 22 Jan 2021:

A BIND 9.x server implementation must be configured to allow DNS administrators to audit all DNS server components, based on selectable event criteria, and produce audit records within all DNS server components that contain information for failed security verification tests, information to establish the outcome and source of the events, any information necessary to determine cause of failure, and any information necessary to return to operations with least disruption to mission processes.

DISA Rule

SV-207539r612253_rule

Vulnerability Number

V-207539

Group Title

SRG-APP-000089-DNS-000004

Rule Version

BIND-9X-001010

Severity

CAT III

CCI(s)

Weight

10

Fix Recommendation

Configure the logging statement in the "named.conf" file:

logging {
channel <channel_name> {
file "<file_name>";
severity info;
};
category default { <channel_name>; };
};

Replace <channel_name> and <file_name> with names that distinctively identify the purpose of the channel and the log file.

Restart the BIND 9.x process.

Check Contents

Verify the name server is configured to generate audit records:

Inspect the "named.conf" file for the following:

logging {
channel channel_name {
severity info;
};
category default { channel_name; };
};

If there is no "logging" statement, this is a finding.

If the "logging" statement does not contain a "channel", this is a finding.

If the "logging" statement does not contain a "category" that utilizes a "channel", this is a finding.

Vulnerability Number

V-207539

Documentable

False

Rule Version

BIND-9X-001010

Severity Override Guidance

Verify the name server is configured to generate audit records:

Inspect the "named.conf" file for the following:

logging {
channel channel_name {
severity info;
};
category default { channel_name; };
};

If there is no "logging" statement, this is a finding.

If the "logging" statement does not contain a "channel", this is a finding.

If the "logging" statement does not contain a "category" that utilizes a "channel", this is a finding.

Check Content Reference

M

Target Key

2926

Comments