Skip to content

I - Mission Critical Sensitive

Rules and Groups employed by this XCCDF Profile

  • SRG-APP-000142-DNS-000014

    <GroupDescription></GroupDescription>
    Group
  • The BIND 9.x server implementation must be configured to use only approved ports and protocols.

    &lt;VulnDiscussion&gt;In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e....
    Rule Medium Severity
  • SRG-APP-000247-DNS-000036

    <GroupDescription></GroupDescription>
    Group
  • A BIND 9.x server implementation must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of Denial of Service (DoS) attacks.

    &lt;VulnDiscussion&gt;A DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot ...
    Rule Medium Severity
  • SRG-APP-000246-DNS-000035

    <GroupDescription></GroupDescription>
    Group
  • A BIND 9.x server implementation must prohibit recursion on authoritative name servers.

    &lt;VulnDiscussion&gt;A potential vulnerability of DNS is that an attacker can poison a name server's cache by sending queries that will cause the ...
    Rule Medium Severity
  • SRG-APP-000516-DNS-000088

    <GroupDescription></GroupDescription>
    Group
  • The master servers in a BIND 9.x implementation must notify authorized secondary name servers when zone files are updated.

    &lt;VulnDiscussion&gt;It is important to maintain the integrity of a zone file. The serial number of the SOA record is used to indicate to secondar...
    Rule Low Severity
  • SRG-APP-000516-DNS-000088

    <GroupDescription></GroupDescription>
    Group
  • The secondary name servers in a BIND 9.x implementation must be configured to initiate zone update notifications to other authoritative zone name servers.

    &lt;VulnDiscussion&gt;It is important to maintain the integrity of a zone file. The serial number of the SOA record is used to indicate to secondar...
    Rule Low Severity
  • SRG-APP-000516-DNS-000110

    <GroupDescription></GroupDescription>
    Group
  • On the BIND 9.x server the platform on which the name server software is hosted must be configured to send outgoing DNS messages from a random port.

    &lt;VulnDiscussion&gt;Hosts that run the name server software should not provide any other services and therefore should be configured to respond t...
    Rule Low Severity
  • SRG-APP-000447-DNS-000068

    <GroupDescription></GroupDescription>
    Group
  • A BIND 9.x caching name server must implement DNSSEC validation to check all DNS queries for invalid input.

    &lt;VulnDiscussion&gt;A common vulnerability of applications is unpredictable behavior when invalid inputs are received. This requirement guards ag...
    Rule Medium Severity
  • SRG-APP-000001-DNS-000001

    <GroupDescription></GroupDescription>
    Group
  • A BIND 9.x master name server must limit the number of concurrent zone transfers between authorized secondary name servers.

    &lt;VulnDiscussion&gt;Limiting the number of concurrent sessions reduces the risk of Denial of Service (DoS) to the DNS implementation. Name serve...
    Rule Medium Severity
  • SRG-APP-000246-DNS-000035

    <GroupDescription></GroupDescription>
    Group
  • A BIND 9.x implementation configured as a caching name server must restrict recursive queries to only the IP addresses and IP address ranges of known supported clients.

    &lt;VulnDiscussion&gt;Any host that can query a resolving name server has the potential to poison the servers name cache or take advantage of other...
    Rule Medium Severity
  • SRG-APP-000158-DNS-000015

    <GroupDescription></GroupDescription>
    Group
  • The BIND 9.x server implementation must uniquely identify and authenticate the other DNS server before responding to a server-to-server transaction, zone transfer and/or dynamic update request using cryptographically based bidirectional authentication to protect the integrity of the information in transit.

    &lt;VulnDiscussion&gt;Server-to-server (zone transfer) transactions are provided by TSIG, which enforces mutual server authentication using a key t...
    Rule High Severity

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules