The BIND 9.x server implementation must be configured with a channel to send audit records to a remote syslog.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-207546 | BIND-9X-001040 | SV-207546r879582_rule | CCI-001348 | low |
| Description | ||||
| Protection of log data includes assuring log data is not accidentally lost or deleted. Backing up audit records to a different system or onto separate media than the system being audited on a defined frequency helps to assure, in the event of a catastrophic system failure, the audit records will be retained. This helps to ensure a compromise of the information system being audited does not also result in a compromise of the audit records. | ||||
| STIG | Date | |||
| BIND 9.x Security Technical Implementation Guide | 2024-02-15 | |||
Details
Check Text (C-207546r879582_chk)
Verify that the BIND 9.x server is configured to send audit logs to the syslog service.
NOTE: syslog and local file channel must be defined for every defined category.
Inspect the "named.conf" file for the following:
logging {
channel <syslog_channel> {
syslog <syslog_facility>;
};
category <category_name> { <syslog_channel>; };
If a logging channel is not defined for syslog, this is a finding.
If a category is not defined to send messages to the syslog channel, this is a finding.
Ensure audit records are forwarded to a remote server:
# grep "\*.\*" /etc/syslog.conf |grep "@" | grep -v "^#" (for syslog)
or:
# grep "\*.\*" /etc/rsyslog.conf | grep "@" | grep -v "^#" (for rsyslog)
If neither of these lines exist, this is a finding.
Fix Text (F-7801r283693_fix)
Configure the "logging" statement to send audit logs to the syslog daemon.
logging {
channel <syslog_channel> {
syslog <syslog_facility>;
};
category <category_name> { <syslog_channel>; };
};
Note: It is recommended to use a local syslog facility (i.e. local0 -7) when configuring the syslog channel.
Restart the BIND 9.x process.
Configure the (r)syslog daemon to send audit logs to a remote server.