STIGQter STIGQter: STIG Summary: BIND 9.x Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 22 Jan 2021:

The two files generated by the BIND 9.x server dnssec-keygen program must be group owned by the server administrator account, or deleted, after they have been copied to the key file in the name server.

DISA Rule

SV-207574r612253_rule

Vulnerability Number

V-207574

Group Title

SRG-APP-000516-DNS-000086

Rule Version

BIND-9X-001141

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Change the group ownership of the keys to the root group.

# chgrp root <key_file>.

Check Contents

If the server is in a classified network, this is Not Applicable.

With the assistance of the DNS Administrator, identify all dnssec-keygen key files that reside on the BIND 9.x server.

An example dnssec-keygen key file will look like:

Kns1.example.com_ns2.example.com.+161+28823.key
OR
Kns1.example.com_ns2.example.com.+161+28823.private

For each key file identified, verify that the key file is group-owned by "root":

# ls –la
-r-------- 1 root root 77 Jul 1 15:00 Kns1.example.com_ns2.example.com+161+28823.key

If the key file(s) are not group owned by root, this is a finding.

Vulnerability Number

V-207574

Documentable

False

Rule Version

BIND-9X-001141

Severity Override Guidance

If the server is in a classified network, this is Not Applicable.

With the assistance of the DNS Administrator, identify all dnssec-keygen key files that reside on the BIND 9.x server.

An example dnssec-keygen key file will look like:

Kns1.example.com_ns2.example.com.+161+28823.key
OR
Kns1.example.com_ns2.example.com.+161+28823.private

For each key file identified, verify that the key file is group-owned by "root":

# ls –la
-r-------- 1 root root 77 Jul 1 15:00 Kns1.example.com_ns2.example.com+161+28823.key

If the key file(s) are not group owned by root, this is a finding.

Check Content Reference

M

Target Key

2926

Comments