UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The designer will ensure private keys are accessible only to administrative users.


Overview

Finding ID Version Rule ID IA Controls Severity
V-16789 APP3180 SV-17789r1_rule ECCD-1 Medium
Description
If private keys are accessible to non-administrative users, these users could potentially read and use the private keys to unencrypt stored or transmitted sensitive data used by the application.
STIG Date
Application Security and Development STIG 2014-04-03

Details

Check Text ( C-17775r1_chk )
Interview the application representative and determine the keys resident on application servers (including X.509 certificates). For the purposes of this checklist, no more than 20 keys need to be examined. Based on the number of keys in the inventory, determine if all of the keys will be examined, or just a sample. If a sample will be selected, choose keys of a variety of types (certificate of a certificate authority, certificate of a user, private key of a user, etc.). No user or process should be able to write to any file containing keys. If keys need to be replaced or added, permissions can be changed temporarily for those events.

1) If any privileged or non-privileged user or application process has write permissions to a file containing cryptographic keys, it is a finding.

Determine if when keys are read, that transaction occurs under the security context of a user account, or of the application process (which would perform the transaction on behalf of the user). Ensure that read permissions are granted only to the account(s) that must know the key to make the application function. If any user groups are granted read permissions, check that the members of these groups contain only the users that require knowledge of the key.

2) If any user accounts have read (or greater) permissions to a private or secret key, which do not require such permissions, it is a finding.

3) If any group with read permissions contains a user that does not require such permissions, it is a finding.
Fix Text (F-17005r1_fix)
Remove excessive permissions on private keys.