The read and write access to a TSIG key file used by a BIND 9.x server must be restricted to only the account that runs the name server software.

From BIND 9.x Security Technical Implementation Guide

Part of SRG-APP-000176-DNS-000019

Associated with: CCI-000186

SV-87065r1_rule The read and write access to a TSIG key file used by a BIND 9.x server must be restricted to only the account that runs the name server software.

Vulnerability discussion

Weak permissions of a TSIG key file could allow an adversary to modify the file, thus defeating the security objective.

Check content

Verify permissions assigned to the TSIG keys enforce read-write access to the key owner and deny access to group or system users: With the assistance of the DNS Administrator, determine the location of the TSIG keys used by the BIND 9.x implementation: # ls –al -rw-------. 1 named named 76 May 10 20:35 tsig-example.key If the key files are more permissive than 600, this is a finding.

Fix text

Change the permissions of the TSIG key files: # chmod 600

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer