STIGQter STIGQter: STIG Summary: BIND 9.x Security Technical Implementation Guide Version: 1 Release: 8 Benchmark Date: 24 Jan 2020: In the event of an error when validating the binding of other DNS servers identity to the BIND 9.x information, when anomalies in the operation of the signed zone transfers are discovered, for the success and failure of start and stop of the name server service or daemon, and for the success and failure of all name server events, a BIND 9.x server implementation must generate a log entry.

DISA Rule

SV-87007r1_rule

Vulnerability Number

V-72383

Group Title

SRG-APP-000350-DNS-000044

Rule Version

BIND-9X-001021

Severity

CAT III

CCI(s)

Weight

10

Fix Recommendation

Edit the "named.conf" file.

Add the "severity" sub statement to the "channel" statement.

Configure the "severity" sub statement to "info"

Restart the BIND 9.x process.

Check Contents

Verify the name server is configured to log error messages with a severity of “info”:

Inspect the "named.conf" file for the following:

logging {
channel channel_name {
file "log.msgs";
severity info;
};

If the "severity" sub statement is not set to "info", this is a finding.

Note: Setting the "severity" sub statement to "info" will log all messages for the following severity levels: Critical, Error, Warning, Notice, and Info.

Vulnerability Number

V-72383

Documentable

False

Rule Version

BIND-9X-001021

Severity Override Guidance

Verify the name server is configured to log error messages with a severity of “info”:

Inspect the "named.conf" file for the following:

logging {
channel channel_name {
file "log.msgs";
severity info;
};

If the "severity" sub statement is not set to "info", this is a finding.

Note: Setting the "severity" sub statement to "info" will log all messages for the following severity levels: Critical, Error, Warning, Notice, and Info.

Check Content Reference

M

Target Key

3085

Comments