4.5 Protect TSIG Key Files During Deployment

Information

Do not expose the TSIG key files through insecure network transmission of the files when deployed, or via insecure permissions or shares on any intermediate systems used for the key deployment.

Rationale:

The secret key protects the authenticity and integrity of TSIG communications and disclosure of a key would allow an attacker to perform the authenticated operations such as rndc administrative operations, zone transfers or dynamic updates.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Perform the following:

Correct the deployment procedure to ensure secure transmission and intermediate storage protection of keys during deployment.

Regenerate new keys via the corrected procedure and replace all previous TSIG keys.

See Also

https://workbench.cisecurity.org/files/2997

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-8, CSCv6|14.2, CSCv7|14.4

Plugin: Unix

Control ID: 85b41f112495b8ca554a007b7b8d7eec28a47f6a13106480e4aa5256decf9fa9