Information
The configuration files in the ISC BIND directories should be owned by root. Of course, any files created at run time by BIND, such as pid files, log files and slave zone files will necessarily be owned by named.
Rationale:
Restricting ownership of the configuration files provides defense in depth and will reduce the probability of unauthorized modifications to those important files. If there was a BIND vulnerability that allowed code execution as the named user, then the code would not be able modify the configuration files.
Solution
Perform the following:
Capture the output of the previous audit command to a file named nonroot-files.txt and review any files not owned by root to ensure the files are necessary and are not expected run-time files. Delete any unnecessary files, and ensure any run-time files are being created in the appropriate run-time directory.
# find $BIND_HOME -type f ! -user root | egrep -v
^$DYNDIR|^$SLAVEDIR|^$DATADIR|^$RUNDIR|^$LOGDIR|^$TMPDIR >
$TMPDIR/nonroot-files.txt
The remaining non-run-time files should be changed to be owned by root, with a command like the following:
# cat $TMPDIR/nonroot-files.txt | xargs chown root
# rm $TMPDIR/nonroot-files.txt
Default Value:
The default rpm has the following configuration files owned by named.
/var/named/named.ca
/var/named/named.empty
/var/named/named.localhost
/var/named/named.loopback