2.5 Set root Ownership of BIND Configuration Files

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

The configuration files in the ISC BIND directories should be owned by root. Of course, any files created at run time by BIND, such as pid files, log files and slave zone files will necessarily be owned by named.

Rationale:

Restricting ownership of the configuration files provides defense in depth and will reduce the probability of unauthorized modifications to those important files. If there was a BIND vulnerability that allowed code execution as the named user, then the code would not be able modify the configuration files.

Solution

Perform the following:

- Capture the output of the previous audit command to a file named nonroot-files.txt and review any files not owned by root to ensure the files are necessary and are not expected run-time files. Delete any unnecessary files, and ensure any run-time files are being created in the appropriate run-time directory.

# find $BIND_HOME -type f ! -user root | egrep -v
^$DYNDIR|^$SLAVEDIR^$DATADIR|^$RUNDIR|^$LOGDIR|^$TMPDIR >
$TMPDIR/nonroot-files.txt

- The remaining non-run-time files should be changed to be owned by root, with a command like the following:
# cat $TMPDIR/nonroot-files.txt | xargs chown root
# rm $TMPDIR/nonroot-files.txt

Default Value:
The default rpm has all configuration files owned by root.

See Also

https://benchmarks.cisecurity.org/downloads/show-single/?file=bind.300

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-6

Plugin: Unix

Control ID: 81e623728fb2b5adfa564ff5d441de5728bf42796644cfbd3b813e7fe5fa2911