The read and write access to a TSIG key file used by a BIND 9.x server must be restricted to only the account that runs the name server software.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-207565 | SRG-APP-000176-DNS-000019 | BIND-9X-001112 | SV-207565r879613_rule | 2024-02-15 | 2 |
Description
Weak permissions of a TSIG key file could allow an adversary to modify the file, thus defeating the security objective.
ℹ️ Check
Verify permissions assigned to the TSIG keys enforce read-write access to the key owner and deny access to group or system users:
With the assistance of the DNS Administrator, determine the location of the TSIG keys used by the BIND 9.x implementation:
# ls –al <TSIG_Key_Location>
-rw-------. 1 named named 76 May 10 20:35 tsig-example.key
If the key files are more permissive than 600, this is a finding.
✔️ Fix
Change the permissions of the TSIG key files:
# chmod 600 <TSIG_key_file>