STIGhubSTIGhub
STIGsSearchCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 3 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to BIND 9.x Security Technical Implementation Guide

V-272378

CAT II (Medium)

The TSIG keys used with the BIND 9.x implementation must be group owned by a privileged account.

Rule ID

SV-272378r1123864_rule

STIG

BIND 9.x Security Technical Implementation Guide

Version

V3R2

CCIs

CCI-000186

Discussion

Incorrect ownership of a TSIG key file could allow an adversary to modify the file, thus defeating the security objective.

Check Content

With the assistance of the DNS administrator, identify all of the TSIG keys used by the BIND 9.x implementation.

Identify the account that the "named" process is running as:

# ps -ef | grep named
named 3015 1 0 12:59 ? 00:00:00 /usr/sbin/named -u named -t /var/named/chroot

With the assistance of the DNS administrator, determine the location of the TSIG keys used by the BIND 9.x implementation.

# ls -al <TSIG_Key_Location>
-rw-r-----. 1 root named 76 May 10 20:35 tsig-example.key

If any of the TSIG keys are not group owned by the above account, this is a finding.

Fix Text

Change the group ownership of the TSIG keys to the named process group.

# chgrp <named_proccess_group> <TSIG_key_file>