BIND is not configured to run as a dedicated non-privileged user account. BIND is running as a root user.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-3617	DNS4440	SV-3617r7_rule	ECLP-1	Low

Description
If an intruder gains control of named (BIND), the intruder will acquire the privileges of the user ID under which it runs. Running as a non-privileged user account limits the extent of any breach. When BIND runs as root (the default) intruders gain full control of the system.

STIG	Date
BIND DNS	2011-01-20

Details

Check Text ( C-3454r1_chk )
: In the presence of the reviewer, the SA should enter the following command: ps –ef \| grep ‘named’ > /etc/dns/srr/bindUser.srr The user identification (UID) utilized to run named should be found in the results. If the UID is root (i.e., 0) or another built-in ID, then this constitutes a finding. If it is not, then the next step is to check whether the UID is dedicated to this function. The SA should enter the following command, substituting the UID obtained in the previous step for bindUID: ps –ef \| grep ‘bindUID’ > bindUserDaemons.srr If bindUserDeamons.tmp contains daemons/programs other than BIND (named), then this constitutes a finding. If the dedicated user is associated with named only, the next step is to check whether the user ID has any privileges other than those needed to run BIND. To accomplish this, the SA will check the following: - Whether the BIND UID is a member of any group other than dnsgroup. - Whether the BIND UID has permissions to any files other than key files and named.stat. For the first item, the SA should run the following command (substituting the value for bindUID as appropriate): grep ‘bindUID’ /etc/group > /etc/dns/srr/bindUserGroups.srr For the second item, the SA should run the following command (substituting the name of the user ID for dnsuser if applicable): find / -uid bindUID > /etc/dns/srr/bindUserFiles.srr With regards to the first item, if dnsuserGroups.srr contains any entry other than dnsgroup (or its equivalent), then this constitutes a finding. With regards to the second item, if dnsuserFilePermissions.srr contains any entries other than the key files and named.stat, then this constitutes a finding.

Check Text ( C-3454r1_chk )

: In the presence of the reviewer, the SA should enter the following command:

ps –ef | grep ‘named’ > /etc/dns/srr/bindUser.srr

The user identification (UID) utilized to run named should be found in the results. If the UID is root (i.e., 0) or another built-in ID, then this constitutes a finding. If it is not, then the next step is to check whether the UID is dedicated to this function. The SA should enter the following command, substituting the UID obtained in the previous step for bindUID:

ps –ef | grep ‘bindUID’ > bindUserDaemons.srr

If bindUserDeamons.tmp contains daemons/programs other than BIND (named), then this constitutes a finding. If the dedicated user is associated with named only, the next step is to check whether the user ID has any privileges other than those needed to run BIND. To accomplish this, the SA will check the following:

- Whether the BIND UID is a member of any group other than dnsgroup.
- Whether the BIND UID has permissions to any files other than key files and named.stat.

For the first item, the SA should run the following command (substituting the value for bindUID as appropriate):

grep ‘bindUID’ /etc/group > /etc/dns/srr/bindUserGroups.srr

For the second item, the SA should run the following command (substituting the name of the user ID for dnsuser if applicable):

find / -uid bindUID > /etc/dns/srr/bindUserFiles.srr

With regards to the first item, if dnsuserGroups.srr contains any entry other than dnsgroup (or its equivalent), then this constitutes a finding. With regards to the second item, if dnsuserFilePermissions.srr contains any entries other than the key files and named.stat, then this constitutes a finding.

Fix Text (F-3548r2_fix)
The SA should create a new user account dedicated to DNS, configure it per the DNS STIG, and then restart the named process to run as a the new user account.