-
Notifications
You must be signed in to change notification settings - Fork 2
CISecurity ISC Bind9 DNS
Egbert edited this page Apr 20, 2022
·
2 revisions
A passive-checking of proper file permission and file ownership of all known directories and files used by named and rndc.
$ cd easy-admin/100-cisecurity
$ ./500-cis-dns-bind-dirs.shAn example output of 500-cis-dns-bind-dirs.sh
Checking file permissions/ownership/security-context for ISC Bind9
Only one 'named' found: /usr/local/sbin/named
Using 'named' binary in: /usr/local/sbin/named
No files found for bind.service.
No named.conf found in 'systemctl cat bind.service'
Binary 'named' built-in config default: /etc/bind/named.conf
INFO: May prompt for sudo to perform protected read-only activities
Begin scanning for 'include' clauses...
Reading in /etc/bind/named.conf...
Content of /etc/bind/named.conf Syntax OK.
Extract 'directory' value as /var/cache/bind
final configure/autogen/autoreconf settings:
prefix: /usr
sysconfdir: /etc
localstatedir:
Extracting 'statistics-file' as /var/log/named_stats.txt
Extracting 'managed-keys-directory' as /var/lib/bind/dynamic
Extracting 'pid-file' as /var/run/bind/named.pid
Extracting 'session-file' as /var/run/bind/session.key
Extracting 'key-directory' as /var/lib/bind/keys/egbert.net
Based on /etc/bind/named.conf settings...
TMPDIR: /tmp
Bind username: bind
Bind groupname: bind
Bind shell: /usr/sbin/nologin
/usr/sbin/nologin
random filespec: /dev/random
KRB5 keytab filespec: /etc/krb5.key
SELinux name_zone_t group:
Bind $HOME: /var/cache/bind
/run/rpcbind
Zone files list: /etc/bind/zones/db.bind /var/lib/bind/slave/zone.egbert.net
Zone clauses_A: bind egbert.net
Zone file statements_A: /etc/bind/zones/db.bind /var/lib/bind/slave/zone.egbert.net
SELinux name_cache_t group:
DNSSEC Dynamic Dir: /var/lib/bind/dynamic
Zone Slave Dir: /var/lib/bind/slave
key_dir_list /var/lib/bind/keys/egbert.net
ManagedKeys Dir: /var/lib/bind/dynamic
ManagedKeys filespec: /var/lib/bind/dynamic/managed-keys.bind
Bind data dir: /var/lib/bind/data
dump filespec: /var/cache/bind/cache_dump.db
secroots filespec: /var/cache/bind
/run/rpcbind/named.secroots
statistics filespec: /var/log/named_stats.txt
memstatistics filespec: /var/cache/bind
/run/rpcbind/named.memstats
Journal dir: /var/cache/bind
SELinux name_conf_t group:
Config files list: /etc/bind/named.conf /etc/bind/key-named.conf /etc/bind/acl-named.conf /etc/bind/logging-named.conf /etc/bind/options-named.conf /etc/bind/controls-named.conf /etc/bind/masters-named.conf /etc/bind/server-named.conf /etc/bind/zones-named.conf /etc/bind/views-named.conf
BINDKEY: /etc/bind.keys
SELinux name_log_t group:
Log directory: /var/log/named
SELinux name_var_run_t group:
CIS_RUNDIR: /run/named
PID file: /var/run/bind/named.pid
Session Key: /var/run/bind/session.key
Lock filespec: /run/named/named.lock
Four choices of file permission settings are:
"M"aximum security
"F"edora/CentOS/Redhat default
"D"ebian/Devuan default
"C"ISecurity recommendation
Maximum, Fedora, Debian or CISecurity settings? (M/f/d/c): M
Maximum security settings...
1777 root:root (TMPDIR) /tmp: ok.
...skipping unused /usr/sbin/nologin
/usr/sbin/nologin (NAMED_SHELL_FILESPEC).
666 root:root (random_filespec) /dev/random: ok.
...skipping unused /etc/krb5.key (keytab_filespec).
...skipping unused /var/cache/bind
/run/rpcbind (NAMED_HOME_DIRSPEC).
640 bind:bind (zone_file) /etc/bind/zones/db.bind: ok.
640 bind:bind (zone_file) /var/lib/bind/slave/zone.egbert.net: ok.
750 bind:bind (DYNAMIC_DIRSPEC) /var/lib/bind/dynamic: ok.
750 bind:bind (slave_dir) /var/lib/bind/slave: ok.
750 bind:bind (key_dir) /var/lib/bind/keys/egbert.net: ok.
...skipping unused /var/lib/bind/dynamic/managed-keys.bind (MANAGEDKEYS_FILESPEC).
750 bind:bind (MANAGEDKEYS_DIR) /var/lib/bind/dynamic: ok.
...skipping unused /var/lib/bind/data (DATA_DIRSPEC).
640 bind:bind (dump_filespec) /var/cache/bind/cache_dump.db: ok.
...skipping unused /var/cache/bind
/run/rpcbind/named.secroots (secroots_filespec).
...skipping unused /var/log/named_stats.txt (statistics_filespec).
...skipping unused /var/cache/bind
/run/rpcbind/named.memstats (memstatistics_filespec).
750 bind:bind (JOURNAL_DIR) /var/cache/bind: ok.
...skipping unused /var/cache/bind
/run/rpcbind/named.recursing (recursing_filespec).
640 bind:bind (config_file) /etc/bind/named.conf: ok.
640 bind:bind (config_file) /etc/bind/key-named.conf: ok.
640 bind:bind (config_file) /etc/bind/acl-named.conf: ok.
640 bind:bind (config_file) /etc/bind/logging-named.conf: ok.
640 bind:bind (config_file) /etc/bind/options-named.conf: ok.
640 bind:bind (config_file) /etc/bind/controls-named.conf: ok.
640 bind:bind (config_file) /etc/bind/masters-named.conf: ok.
640 bind:bind (config_file) /etc/bind/server-named.conf: ok.
640 bind:bind (config_file) /etc/bind/zones-named.conf: ok.
640 bind:bind (config_file) /etc/bind/views-named.conf: ok.
...skipping unused /etc/bind.keys (BINDKEY).
...skipping unused /run/named (CIS_RUNDIR).
640 bind:bind (pid_filespec) /var/run/bind/named.pid: ok.
600 bind:bind (SESSION_KEY_FILESPEC) /var/run/bind/session.key: ok.
...skipping unused /run/named/named.lock (lock_filespec).
750 bind:bind (log_dir) /var/log/named: ok.
Total files: 35
File missing: 12
Skipped files: 0
Permission errors: 0