Skip to content

III - Administrative Public

Rules and Groups employed by this XCCDF Profile

  • SRG-APP-000516-DNS-000112

    <GroupDescription></GroupDescription>
    Group
  • On the BIND 9.x server the private keys corresponding to both the ZSK and the KSK must not be kept on the BIND 9.x DNSSEC-aware primary authoritative name server when the name server does not support dynamic updates.

    &lt;VulnDiscussion&gt;The private keys in the KSK and ZSK key pairs must be protected from unauthorized access. If possible, the private keys shoul...
    Rule Medium Severity
  • SRG-APP-000516-DNS-000086

    <GroupDescription></GroupDescription>
    Group
  • The two files generated by the BIND 9.x server dnssec-keygen program must be owned by the root account, or deleted, after they have been copied to the key file in the name server.

    &lt;VulnDiscussion&gt;To enable zone transfer (requests and responses) through authenticated messages, it is necessary to generate a key for every ...
    Rule Medium Severity
  • SRG-APP-000516-DNS-000086

    <GroupDescription></GroupDescription>
    Group
  • The two files generated by the BIND 9.x server dnssec-keygen program must be group owned by the server administrator account, or deleted, after they have been copied to the key file in the name server.

    &lt;VulnDiscussion&gt;To enable zone transfer (requests and responses) through authenticated messages, it is necessary to generate a key for every ...
    Rule Medium Severity
  • SRG-APP-000516-DNS-000086

    <GroupDescription></GroupDescription>
    Group
  • Permissions assigned to the dnssec-keygen keys used with the BIND 9.x implementation must enforce read-only access to the key owner and deny access to all other users.

    &lt;VulnDiscussion&gt;To enable zone transfer (requests and responses) through authenticated messages, it is necessary to generate a key for every ...
    Rule Medium Severity
  • SRG-APP-000176-DNS-000096

    <GroupDescription></GroupDescription>
    Group
  • The BIND 9.x server signature generation using the KSK must be done off-line, using the KSK-private key stored off-line.

    &lt;VulnDiscussion&gt;The private key in the KSK key pair must be protected from unauthorized access. The private key should be stored off-line (wi...
    Rule High Severity

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules