2.7 Set Group and Other Permissions Read-Only for BIND Non-Runtime Directories - 'other' permissions

Information

All the BIND directories except the run-time directories into which BIND will create files should have group and other permissions set to not be writable. No directories in the BIND_HOME or the RUNDIR should have other write permissions, even a chroot'ed tmp directory only needs to be writable by the named group.

Rationale:

Restricting permissions on the directories provides defense in depth and will reduce the probability of unauthorized modifications to important files. If there was a BIND vulnerability that allowed code execution as the named user, then the code would not be able create or modify configuration files.

Solution

Perform the following:

- Capture the output from the audit commands above into a file named write-dirs.txt
- Review the purpose for the identified directories and either delete them if the directory is not needed, or change the permissions of the directory to not be writable by group or other.
- The following command can be used to change the permissions of the directories that are appropriate.

xargs -a write-dirs.txt chmod go-w

Default Value:

The default rpm install has all non-runtime directories without group or other write access.

See Also

https://workbench.cisecurity.org/files/1735