STIGQter: STIG Summary: Red Hat Enterprise Linux 8 Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 23 Apr 2021:

For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured.

DISA Rule

SV-230316r627750_rule

Vulnerability Number

V-230316

Group Title

SRG-OS-000480-GPOS-00227

Rule Version

RHEL-08-010680

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Configure the operating system to use two or more name servers for DNS resolution.

By default, "NetworkManager" on RHEL 8 dynamically updates the /etc/resolv.conf file with the DNS settings from active "NetworkManager" connection profiles. However, this feature can be disabled to allow manual configurations.

If manually configuring DNS, edit the "/etc/resolv.conf" file to uncomment or add the two or more "nameserver" option lines with the IP address of local authoritative name servers. If local host resolution is being performed, the "/etc/resolv.conf" file must be empty. An empty "/etc/resolv.conf" file can be created as follows:

$ sudo echo -n > /etc/resolv.conf

Check Contents

Determine whether the system is using local or DNS name resolution with the following command:

$ sudo grep hosts /etc/nsswitch.conf

hosts: files dns

If the DNS entry is missing from the host's line in the "/etc/nsswitch.conf" file, the "/etc/resolv.conf" file must be empty.

Verify the "/etc/resolv.conf" file is empty with the following command:

$ sudo ls -al /etc/resolv.conf

-rw-r--r-- 1 root root 0 Aug 19 08:31 resolv.conf

If local host authentication is being used and the "/etc/resolv.conf" file is not empty, this is a finding.

If the DNS entry is found on the host's line of the "/etc/nsswitch.conf" file, verify the operating system is configured to use two or more name servers for DNS resolution.

Determine the name servers used by the system with the following command:

$ sudo grep nameserver /etc/resolv.conf

nameserver 192.168.1.2
nameserver 192.168.1.3

If less than two lines are returned that are not commented out, this is a finding.

Vulnerability Number

V-230316

Documentable

False

Rule Version

RHEL-08-010680

Severity Override Guidance

Determine whether the system is using local or DNS name resolution with the following command:

$ sudo grep hosts /etc/nsswitch.conf

hosts: files dns

If the DNS entry is missing from the host's line in the "/etc/nsswitch.conf" file, the "/etc/resolv.conf" file must be empty.

Verify the "/etc/resolv.conf" file is empty with the following command:

$ sudo ls -al /etc/resolv.conf

-rw-r--r-- 1 root root 0 Aug 19 08:31 resolv.conf

If local host authentication is being used and the "/etc/resolv.conf" file is not empty, this is a finding.

If the DNS entry is found on the host's line of the "/etc/nsswitch.conf" file, verify the operating system is configured to use two or more name servers for DNS resolution.

Determine the name servers used by the system with the following command:

$ sudo grep nameserver /etc/resolv.conf

nameserver 192.168.1.2
nameserver 192.168.1.3

If less than two lines are returned that are not commented out, this is a finding.

Check Content Reference

M

Target Key

2921

Comments