Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
Permissions on critical UNIX name server files are not as restrictive as required.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-3620 | DNS4470 | SV-3620r1_rule | ECCD-1 ECCD-2 | Medium |
| Description |
|---|
| Weak permissions could allow an intruder to view or modify zone, configuration and/or program files. |
| STIG | Date |
|---|---|
| BIND DNS STIG | 2015-01-05 |
Details
| Check Text ( C-3465r1_chk ) |
|---|
| Using the ls –l command from the directory containing the core BIND files, check that the permissions for the files listed are at least as restrictive as those listed: named.conf - owner: root, group: dnsgroup, permissions: 640 named.pid - owner: root, group: dnsgroup, permissions: 600 root hints - owner: root, group: dnsgroup, permissions: 640 master zone file - owner: root, group: dnsgroup, permissions: 640 slave zone file - owner: root, group: dnsgroup, permissions: 660 The name of the root hints file is defined in named.conf. Common names for the file are root.hints, named.cache, or db.cache. |
| Fix Text (F-3551r1_fix) |
|---|
| The SA should modify permissions so that they are at least as restrictive as specified in the DNS STIG. |