The TSIG keys used with the BIND 9.x implementation must be group owned by a privileged account.

From BIND 9.x Security Technical Implementation Guide

Part of SRG-APP-000176-DNS-000018

Associated with: CCI-000186

SV-87063r1_rule The TSIG keys used with the BIND 9.x implementation must be group owned by a privileged account.

Vulnerability discussion

Incorrect ownership of a TSIG key file could allow an adversary to modify the file, thus defeating the security objective.

Check content

With the assistance of the DNS Administrator, identify all of the TSIG keys used by the BIND 9.x implementation. Identify the account that the "named" process is running as: # ps -ef | grep named named 3015 1 0 12:59 ? 00:00:00 /usr/sbin/named -u named -t /var/named/chroot With the assistance of the DNS Administrator, determine the location of the TSIG keys used by the BIND 9.x implementation. # ls –al -rw-------. 1 named named 76 May 10 20:35 tsig-example.key If any of the TSIG keys are not group owned by the above account, this is a finding.

Fix text

Change the group ownership of the TSIG keys to the named process group. # chgrp

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer