Interview the application representative and determine the keys resident on application servers (including X.509 certificates). For the purposes of this checklist, no more than 20 keys need to be examined. Based on the number of keys in the inventory, determine if all of the keys will be examined, or just a sample. If a sample will be selected, choose keys of a variety of types (certificate of a certificate authority, certificate of a user, private key of a user, etc.). No user or process should be able to write to any file containing keys. If keys need to be replaced or added, permissions can be changed temporarily for those events.
1) If any privileged or non-privileged user or application process has write permissions to a file containing cryptographic keys, it is a finding.
Determine if when keys are read, that transaction occurs under the security context of a user account, or of the application process (which would perform the transaction on behalf of the user). Ensure that read permissions are granted only to the account(s) that must know the key to make the application function. If any user groups are granted read permissions, check that the members of these groups contain only the users that require knowledge of the key.
2) If any user accounts have read (or greater) permissions to a private or secret key, which do not require such permissions, it is a finding.
3) If any group with read permissions contains a user that does not require such permissions, it is a finding. |