The TSIG keys used with the BIND 9.x implementation must be group owned by a privileged account.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-272378	SRG-APP-000176-DNS-000018	BIND-9X-001210	SV-272378r1123864_rule	2025-07-24	3

Description
Incorrect ownership of a TSIG key file could allow an adversary to modify the file, thus defeating the security objective.

ℹ️ Check
With the assistance of the DNS administrator, identify all of the TSIG keys used by the BIND 9.x implementation. Identify the account that the "named" process is running as: # ps -ef \| grep named named 3015 1 0 12:59 ? 00:00:00 /usr/sbin/named -u named -t /var/named/chroot With the assistance of the DNS administrator, determine the location of the TSIG keys used by the BIND 9.x implementation. # ls -al <TSIG_Key_Location> -rw-r-----. 1 root named 76 May 10 20:35 tsig-example.key If any of the TSIG keys are not group owned by the above account, this is a finding.

ℹ️ Check

With the assistance of the DNS administrator, identify all of the TSIG keys used by the BIND 9.x implementation. Identify the account that the "named" process is running as: # ps -ef | grep named named 3015 1 0 12:59 ? 00:00:00 /usr/sbin/named -u named -t /var/named/chroot With the assistance of the DNS administrator, determine the location of the TSIG keys used by the BIND 9.x implementation. # ls -al <TSIG_Key_Location> -rw-r-----. 1 root named 76 May 10 20:35 tsig-example.key If any of the TSIG keys are not group owned by the above account, this is a finding.

✔️ Fix
Change the group ownership of the TSIG keys to the named process group. # chgrp <named_proccess_group> <TSIG_key_file>