Detections
Analytics

9 - Isolate BIND via chroot or Solaris Zones

Information

The chroot command allows you to create a running environment that can be severely limited from the rest of the operating system. The chroot command does this by running a command with the root file structure replaced by a given sub-directory. When this is done, the command executed by chroot no longer has access to the entire file structure but is limited to the given sub-directory. It should be noted that chroot-ing is not a completely sound security measure. Chrooting was not originally designed to be used for security.

Rationale:

Use the chroot command to further limit potential damage from a successful exploit, the server should be running in an isolated compartment such as a chroot-ed jail or a Solaris 10 zone. This way the daemon will be restricted in terms of what it can see or do. For example, in a chroot-ed jail, the service will not have access to the full file system, but instead a minimal file system with just the necessary data, libraries and devices.

Solution

Create the chroot directories. Details on the directories usage and permissions are important and are provided in section Restricting BIND Access. It is possible that some systems may also require some run time libraries within the chroot file hierarchy. Typically, BIND 9 does not require extra libraries as it performs the chroot(2) call later in the startup process. Check your system's dynamic linking man pages (such as ld and ldd) for additional information.
mkdir -p -m 750 /var/named/chroot
cd /var/named/chroot
mkdir -p -m 750 etc dev var/named/data var/run var/log var/tmp
Create the necessary devices such as /dev/null, /dev/zero and /dev/random using the proper major and minor device numbers for your platform. Using the command ls-al will show you what the major and minor numbers are for each file. A long listing of /dev/null, /dev/zero and /dev/random will provide the required major and minor device numbers for your platform. You should also create a syslog socket for logging by adding an option such as '-a /var/named/chroot/dev/log' to your syslogd command line.
ls -al /dev/null /dev/zero /dev/random mknod dev/null c ? ?
mknod dev/random c ? ?
mknod dev/zero c ? ?
chown root:named dev/null dev/zero dev/random chmod ug=rw,o= dev/null dev/zero dev/random cp /etc/named.conf etc/
cp /etc/localtime etc/
Edit /etc/named.conf file to match the created paths for chroot directory /var/named, /var/named/data and /var/run/. Also, copy the appropriate zone files referenced in your named.conf file.

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-2

Plugin: Unix

Control ID: c06c4cb781fdae0c46c8c73b13a9e1e6afc8c8d70b0af4fde225f133696be4b4