Skip to content

I - Mission Critical Classified

Rules and Groups employed by this XCCDF Profile

  • SRG-APP-000516-DNS-000099

    <GroupDescription></GroupDescription>
    Group
  • The permissions assigned to the core BIND 9.x server files must be set to utilize the least privilege possible.

    &lt;VulnDiscussion&gt;Discretionary Access Control (DAC) is based on the premise that individual users are "owners" of objects and therefore have d...
    Rule Medium Severity
  • SRG-APP-000516-DNS-000091

    <GroupDescription></GroupDescription>
    Group
  • On a BIND 9.x server for zones split between the external and internal sides of a network, the RRs for the external hosts must be separate from the RRs for the internal hosts.

    &lt;VulnDiscussion&gt;Authoritative name servers for an enterprise may be configured to receive requests from both external and internal clients. ...
    Rule Medium Severity
  • SRG-APP-000516-DNS-000092

    <GroupDescription></GroupDescription>
    Group
  • On a BIND 9.x server in a split DNS configuration, where separate name servers are used between the external and internal networks, the external name server must be configured to not be reachable from inside resolvers.

    &lt;VulnDiscussion&gt;Instead of having the same set of authoritative name servers serve different types of clients, an enterprise could have two d...
    Rule Medium Severity
  • SRG-APP-000516-DNS-000093

    <GroupDescription></GroupDescription>
    Group
  • On a BIND 9.x server in a split DNS configuration, where separate name servers are used between the external and internal networks, the internal name server must be configured to not be reachable from outside resolvers.

    &lt;VulnDiscussion&gt;Instead of having the same set of authoritative name servers serve different types of clients, an enterprise could have two d...
    Rule Medium Severity
  • SRG-APP-000516-DNS-000101

    <GroupDescription></GroupDescription>
    Group
  • A BIND 9.x server implementation must implement internal/external role separation.

    &lt;VulnDiscussion&gt;DNS servers with an internal role only process name/address resolution requests from within the organization (i.e., internal ...
    Rule High Severity
  • SRG-APP-000516-DNS-000108

    <GroupDescription></GroupDescription>
    Group
  • On the BIND 9.x server the IP address for hidden master authoritative name servers must not appear in the name servers set in the zone database.

    &lt;VulnDiscussion&gt;A hidden master authoritative server is an authoritative DNS server whose IP address does not appear in the name server set f...
    Rule Medium Severity
  • SRG-APP-000516-DNS-000500

    <GroupDescription></GroupDescription>
    Group
  • A BIND 9.x implementation operating in a split DNS configuration must be approved by the organizations Authorizing Official.

    &lt;VulnDiscussion&gt;BIND 9.x has implemented an option to use "view" statements to allow for split DNS architecture to be configured on a single ...
    Rule High Severity
  • SRG-APP-000516-DNS-000111

    <GroupDescription></GroupDescription>
    Group
  • On the BIND 9.x server the private key corresponding to the ZSK, stored on name servers accepting dynamic updates, must be owned by root.

    &lt;VulnDiscussion&gt;The private ZSK key must be protected from unauthorized access. This strategy is not feasible in situations in which the DNS...
    Rule Medium Severity
  • SRG-APP-000516-DNS-000111

    <GroupDescription></GroupDescription>
    Group
  • On the BIND 9.x server the private key corresponding to the ZSK, stored on name servers accepting dynamic updates, must be group owned by root.

    &lt;VulnDiscussion&gt;The private ZSK key must be protected from unauthorized access. This strategy is not feasible in situations in which the DNS...
    Rule Medium Severity
  • SRG-APP-000215-DNS-000003

    <GroupDescription></GroupDescription>
    Group
  • A BIND 9.x server implementation must enforce approved authorizations for controlling the flow of information between authoritative name servers and specified secondary name servers based on DNSSEC policies.

    &lt;VulnDiscussion&gt;A mechanism to detect and prevent unauthorized communication flow must be configured or provided as part of the system design...
    Rule Medium Severity

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules