The read and write access to a TSIG key file used by a BIND 9.x server must be restricted to only the account that runs the name server software.

An XCCDF Rule

Details
Profiles
Prose

Description

<VulnDiscussion>Weak permissions of a TSIG key file could allow an adversary to modify the file, thus defeating the security objective.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-207565r612253_rule
Severity: Medium
References: CCI-000186
Updated: about 1 year ago

Change the permissions of the TSIG key files:

# chmod 600 <TSIG_key_file>

The read and write access to a TSIG key file used by a BIND 9.x server must be restricted to only the account that runs the name server software.

Description

Remediation - Manual Procedure