DISA BIND 9.x STIG v1r9

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: DISA BIND 9.x STIG v1r9

Updated: 2/7/2022

Authority: DISA STIG

Plugin: Unix

Revision: 1.6

Estimated Item Count: 104

Audit Items

Description	Categories
BIND-9X-000001 - A BIND 9.x server implementation must be running in a chroot(ed) directory structure.	CONFIGURATION MANAGEMENT
BIND-9X-001000 - A BIND 9.x server implementation must be operating on a Current-Stable version as defined by ISC.	SYSTEM AND INFORMATION INTEGRITY
BIND-9X-001002 - The platform on which the name server software is hosted must only run processes and services needed to support the BIND 9.x implementation.	CONFIGURATION MANAGEMENT
BIND-9X-001003 - The BIND 9.x server software must run with restricted privileges.	ACCESS CONTROL
BIND-9X-001004 - The host running a BIND 9.X implementation must implement a set of firewall rules that restrict traffic on the DNS interface - drop	SYSTEM AND COMMUNICATIONS PROTECTION
BIND-9X-001004 - The host running a BIND 9.X implementation must implement a set of firewall rules that restrict traffic on the DNS interface - tcp	SYSTEM AND COMMUNICATIONS PROTECTION
BIND-9X-001004 - The host running a BIND 9.X implementation must implement a set of firewall rules that restrict traffic on the DNS interface - udp	SYSTEM AND COMMUNICATIONS PROTECTION
BIND-9X-001005 - The host running a BIND 9.x implementation must use a dedicated management interface in order to separate management traffic from DNS specific traffic.	SYSTEM AND COMMUNICATIONS PROTECTION
BIND-9X-001006 - The host running a BIND 9.x implementation must use an interface that is configured to process only DNS traffic.	SYSTEM AND COMMUNICATIONS PROTECTION
BIND-9X-001010 - A BIND 9.x server implementation must be configured to allow DNS administrators to audit all DNS server components, based on selectable event criteria, and produce audit records within all DNS server components that contain information for failed security verification tests, information to establish the outcome and source of the events, any information necessary to determine cause of failure, and any information necessary to return to operations with least disruption to mission processes - category	AUDIT AND ACCOUNTABILITY
BIND-9X-001010 - A BIND 9.x server implementation must be configured to allow DNS administrators to audit all DNS server components, based on selectable event criteria, and produce audit records within all DNS server components that contain information for failed security verification tests, information to establish the outcome and source of the events, any information necessary to determine cause of failure, and any information necessary to return to operations with least disruption to mission processes - channel	AUDIT AND ACCOUNTABILITY
BIND-9X-001010 - A BIND 9.x server implementation must be configured to allow DNS administrators to audit all DNS server components, based on selectable event criteria, and produce audit records within all DNS server components that contain information for failed security verification tests, information to establish the outcome and source of the events, any information necessary to determine cause of failure, and any information necessary to return to operations with least disruption to mission processes - logging	AUDIT AND ACCOUNTABILITY
BIND-9X-001017 - The BIND 9.x server implementation must not be configured with a channel to send audit records to null.	AUDIT AND ACCOUNTABILITY
BIND-9X-001020 - The BIND 9.x server logging configuration must be configured to generate audit records for all DoD-defined auditable events to a local file by enabling triggers for all events with a severity of info, notice, warning, error, and critical for all DNS components.	AUDIT AND ACCOUNTABILITY
BIND-9X-001021 - In the event of an error when validating the binding of other DNS servers identity to the BIND 9.x information, when anomalies in the operation of the signed zone transfers are discovered, for the success and failure of start and stop of the name server service or daemon, and for the success and failure of all name server events, a BIND 9.x server implementation must generate a log entry.	AUDIT AND ACCOUNTABILITY
BIND-9X-001030 - The print-severity variable for the configuration of BIND 9.x server logs must be configured to produce audit records containing information to establish what type of events occurred.	AUDIT AND ACCOUNTABILITY
BIND-9X-001031 - The print-time variable for the configuration of BIND 9.x server logs must be configured to establish when (date and time) the events occurred.	AUDIT AND ACCOUNTABILITY
BIND-9X-001032 - The print-category variable for the configuration of BIND 9.x server logs must be configured to record information indicating which process generated the events.	AUDIT AND ACCOUNTABILITY
BIND-9X-001040 - The BIND 9.x server implementation must be configured with a channel to send audit records to a remote syslog - named syslog	AUDIT AND ACCOUNTABILITY
BIND-9X-001040 - The BIND 9.x server implementation must be configured with a channel to send audit records to a remote syslog - rsyslog/syslog	AUDIT AND ACCOUNTABILITY
BIND-9X-001041 - The BIND 9.x server implementation must be configured with a channel to send audit records to a local file.	AUDIT AND ACCOUNTABILITY
BIND-9X-001042 - The BIND 9.x server implementation must maintain at least 3 file versions of the local log file.	AUDIT AND ACCOUNTABILITY
BIND-9X-001050 - The BIND 9.x secondary name server must limit the number of zones requested from a single master name server.	SYSTEM AND COMMUNICATIONS PROTECTION
BIND-9X-001051 - The BIND 9.x secondary name server must limit the total number of zones the name server can request at any one time.	SYSTEM AND COMMUNICATIONS PROTECTION
BIND-9X-001052 - The BIND 9.x server implementation must limit the number of concurrent session client connections to the number of allowed dynamic update clients.	SYSTEM AND COMMUNICATIONS PROTECTION
BIND-9X-001053 - The BIND 9.x server implementation must be configured to use only approved ports and protocols.	CONFIGURATION MANAGEMENT
BIND-9X-001054 - A BIND 9.x server implementation must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of Denial of Service (DoS) attacks - options allow-query	SYSTEM AND COMMUNICATIONS PROTECTION
BIND-9X-001054 - A BIND 9.x server implementation must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of Denial of Service (DoS) attacks - recursion	SYSTEM AND COMMUNICATIONS PROTECTION
BIND-9X-001054 - A BIND 9.x server implementation must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of Denial of Service (DoS) attacks - zone allow-query	SYSTEM AND COMMUNICATIONS PROTECTION
BIND-9X-001055 - A BIND 9.x server implementation must prohibit recursion on authoritative name servers - allow-recursion	CONFIGURATION MANAGEMENT
BIND-9X-001055 - A BIND 9.x server implementation must prohibit recursion on authoritative name servers - options allow-query	SYSTEM AND COMMUNICATIONS PROTECTION
BIND-9X-001055 - A BIND 9.x server implementation must prohibit recursion on authoritative name servers - recursion	SYSTEM AND COMMUNICATIONS PROTECTION
BIND-9X-001055 - A BIND 9.x server implementation must prohibit recursion on authoritative name servers - zone allow-query	SYSTEM AND COMMUNICATIONS PROTECTION
BIND-9X-001057 - The master servers in a BIND 9.x implementation must notify authorized secondary name servers when zone files are updated - notify	CONFIGURATION MANAGEMENT
BIND-9X-001057 - The master servers in a BIND 9.x implementation must notify authorized secondary name servers when zone files are updated - zone also-notify	SYSTEM AND COMMUNICATIONS PROTECTION
BIND-9X-001057 - The master servers in a BIND 9.x implementation must notify authorized secondary name servers when zone files are updated - zone notify explicit	SYSTEM AND COMMUNICATIONS PROTECTION
BIND-9X-001058 - The secondary name servers in a BIND 9.x implementation must be configured to initiate zone update notifications to other authoritative zone name servers - options notify	CONFIGURATION MANAGEMENT
BIND-9X-001058 - The secondary name servers in a BIND 9.x implementation must be configured to initiate zone update notifications to other authoritative zone name servers - zone allow-notify	SYSTEM AND COMMUNICATIONS PROTECTION
BIND-9X-001058 - The secondary name servers in a BIND 9.x implementation must be configured to initiate zone update notifications to other authoritative zone name servers - zone notify explicit	SYSTEM AND COMMUNICATIONS PROTECTION
BIND-9X-001059 - On the BIND 9.x server the platform on which the name server software is hosted must be configured to send outgoing DNS messages from a random port - listen-on	CONFIGURATION MANAGEMENT
BIND-9X-001059 - On the BIND 9.x server the platform on which the name server software is hosted must be configured to send outgoing DNS messages from a random port - listen-on-v6	CONFIGURATION MANAGEMENT
BIND-9X-001060 - A BIND 9.x caching name server must implement DNSSEC validation to check all DNS queries for invalid input - dnssec	SYSTEM AND COMMUNICATIONS PROTECTION
BIND-9X-001060 - A BIND 9.x caching name server must implement DNSSEC validation to check all DNS queries for invalid input - managed-keys	SYSTEM AND COMMUNICATIONS PROTECTION
BIND-9X-001070 - A BIND 9.x master name server must limit the number of concurrent zone transfers between authorized secondary name servers.	SYSTEM AND COMMUNICATIONS PROTECTION
BIND-9X-001080 - A BIND 9.x implementation configured as a caching name server must restrict recursive queries to only the IP addresses and IP address ranges of known supported clients - allow-query	SYSTEM AND COMMUNICATIONS PROTECTION
BIND-9X-001080 - A BIND 9.x implementation configured as a caching name server must restrict recursive queries to only the IP addresses and IP address ranges of known supported clients - allow-recursion	SYSTEM AND COMMUNICATIONS PROTECTION
BIND-9X-001100 - The BIND 9.x server implementation must uniquely identify and authenticate the other DNS server before responding to a server-to-server transaction, zone transfer and/or dynamic update request using cryptographically based bidirectional authentication to protect the integrity of the information in transit - allow-transfer none
BIND-9X-001100 - The BIND 9.x server implementation must uniquely identify and authenticate the other DNS server before responding to a server-to-server transaction, zone transfer and/or dynamic update request using cryptographically based bidirectional authentication to protect the integrity of the information in transit - master allow-transfer	SYSTEM AND COMMUNICATIONS PROTECTION
BIND-9X-001100 - The BIND 9.x server implementation must uniquely identify and authenticate the other DNS server before responding to a server-to-server transaction, zone transfer and/or dynamic update request using cryptographically based bidirectional authentication to protect the integrity of the information in transit - secondary keys	SYSTEM AND COMMUNICATIONS PROTECTION
BIND-9X-001106 - The BIND 9.x server implementation must utilize separate TSIG key-pairs when securing server-to-server transactions - key	SYSTEM AND COMMUNICATIONS PROTECTION

Detections

Analytics

DISA BIND 9.x STIG v1r9

Warning! Audit Deprecated

Audit Details

Audit Items