2.7 Set Group Read-Only for BIND Files and Non-Runtime Directories - files

Information

All of the BIND files and all of directories except the run-time directories into which BIND will create files should have group permissions set to not be writable. Any run-time files created by BIND will be owned by BIND, and therefore need not be group writable.

Rationale:

Restricting permissions on the directories and files provides defense in depth and will reduce the probability of unauthorized modifications to important files. If there was a BIND vulnerability that allowed code execution as the named user, then the code would not be able create or modify configuration files.

Solution

Perform the following:

Capture the output from the audit commands above into a file named write-dirs.txt

Review the purpose for the identified directories and either delete them if the directory is not needed, or change the permissions of the directory to not be writable by group or other.

The following command can be used to change the permissions of the directories that are appropriate.

xargs -a write-dirs.txt chmod g-w

Default Value:

The default rpm install has the following non-runtime directories with group write access.

/var/named/

See Also

https://workbench.cisecurity.org/files/2997