Details
All the BIND directories and files should have a group of either named or root.
Rationale:
In general the BIND directories and files default to a group of named, however some system files may have a group of root. Examples of system files include chroot’ed system device files. Either group root or named is accepted, as the intent is to prevent unexpected group ids, from getting inappropriate access to BIND files. Run time directories to which BIND will need write access should have a group of named, so that write access may be granted via the group permissions.
Solution
Run the command below to change all BIND directories and files to the group named.
chgrp -R named $BIND_HOME $RUNDIR
Default Value:
The default rpm install has all directories and files in the BIND home and the run time directory with a group of named.
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Access Control.This control applies to the following type of system Unix.