STIGQter STIGQter: STIG Summary: BIND 9.x Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 22 Jan 2021:

The DNSSEC keys used with the BIND 9.x implementation must be owned by a privileged account.

DISA Rule

SV-207568r612253_rule

Vulnerability Number

V-207568

Group Title

SRG-APP-000231-DNS-000033

Rule Version

BIND-9X-001130

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Change the ownership of the DNSSEC keys to the named process is running as.

# chown <named_proccess_owner> <DNSSEC_key_file>.

Check Contents

If the server is in a classified network, this is Not Applicable.

With the assistance of the DNS Administrator, identify all of the DNSSEC keys used by the BIND 9.x implementation.

Identify the account that the "named" process is running as:

# ps -ef | grep named
named 3015 1 0 12:59 ? 00:00:00 /usr/sbin/named -u named -t /var/named/chroot

With the assistance of the DNS Administrator, determine the location of the DNSSEC keys used by the BIND 9.x implementation.

# ls –al <DNSSEC_Key_Location>
-r--------. 1 named named 76 May 10 20:35 DNSSEC-example.key

If any of the DNSSEC keys are not owned by the above account, this is a finding.

Vulnerability Number

V-207568

Documentable

False

Rule Version

BIND-9X-001130

Severity Override Guidance

If the server is in a classified network, this is Not Applicable.

With the assistance of the DNS Administrator, identify all of the DNSSEC keys used by the BIND 9.x implementation.

Identify the account that the "named" process is running as:

# ps -ef | grep named
named 3015 1 0 12:59 ? 00:00:00 /usr/sbin/named -u named -t /var/named/chroot

With the assistance of the DNS Administrator, determine the location of the DNSSEC keys used by the BIND 9.x implementation.

# ls –al <DNSSEC_Key_Location>
-r--------. 1 named named 76 May 10 20:35 DNSSEC-example.key

If any of the DNSSEC keys are not owned by the above account, this is a finding.

Check Content Reference

M

Target Key

2926

Comments