Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-4488 | DNS0485 | SV-4488r8_rule | ECAT-1 ECAT-2 | High |
Description |
---|
Logging must be comprehensive to be useful for both intrusion monitoring and security investigations. Setting logging at the severity notice should capture most relevant events without requiring unacceptable levels of data storage. The severity levels notice and debug are also available to organizations that require additional logging for certain events or applications. |
STIG | Date |
---|---|
BIND DNS | 2011-01-20 |
Check Text ( C-3547r5_chk ) |
---|
DNS software administrators need DNS transaction logs for a wide variety of reasons including troubleshooting, intrusion detection, and forensics. The events the name server logs are to contain, at a minimum, success and failure of the following events: - start and stop of the name server service or daemon - zone transfers - zone update notifications - dynamic updates BIND Instruction: For a BIND configuration: if a logging statement is present, it will have the form: logging { channel channel_name file path_name | syslog syslog_facility severity (critical | error | warning | notice | info | debug [level]| dynamic);] print-severity yes/no; print-time yes/no; }; category category_name { channel_name ; [ channel_name ; … }; }; Instruction: If a logging statement is not present, then this is a finding. The reviewer will look at the severity clause in each of the channel phrases of the logging statement. It should read either notice, info or debug for each defined channel (although debug would not typically appear unless the review is concurrent with a troubleshooting effort). If the logging statement is not properly configured, then this is a finding. NOTE: Debug level may cause operational issues due to log file sizes and is therefore not a requirement for anything other than troubleshooting purposes. Windows DNS Instruction: For a Windows 2003 DNS configuration: On the “Logging Tab” or “Debug Logging” tab of the “DNS Server Properties” dialog box, if “Log Packets for “Notify” and “Update” are not checked, then this is a finding. Mitigation: DNS0485 A violation of this requirement can have one of two severity levels depending upon the extent of the violation. If no logging exists, then the discrepancy would be a Category I finding. If some logging exists, but not for all of the events listed, then the discrepancy would be a Category II finding. |
Fix Text (F-4373r4_fix) |
---|
The DNS software administrator will configure the DNS software to log, at a minimum, success and failure of the following events: - start and stop of the name server service or daemon - zone transfers - zone update notifications - dynamic updates |