STIGQter STIGQter: STIG Summary: Application Security and Development Security Technical Implementation Guide Version: 5 Release: 1 Benchmark Date: 23 Oct 2020:

The application, when using PKI-based authentication, must enforce authorized access to the corresponding private key.

DISA Rule

SV-222551r508029_rule

Vulnerability Number

V-222551

Group Title

SRG-APP-000176

Rule Version

APSC-DV-001820

Severity

CAT I

CCI(s)

Weight

10

Fix Recommendation

Configure the application or relevant access control mechanism to enforce authorized access to the application private key(s).

Check Contents

Review the application documentation and interview the application administrator to identify where the application's private key is stored.

If the application does not perform code signing or other cryptographic tasks requiring a private key, this requirement is not applicable.

Ask the administrator to demonstrate where the application private key(s) are stored. Examine access restrictions and ensure access controls are in place to restrict access to the private key(s).

If the key(s) are stored on the file system, ensure adequate file permissions are set so as to only allow authorized users and processes.

If the key(s) are maintained or available via an application interface, ensure the application provides access controls that limit access via the application interface to only authorized users and processes.

Review access controls and attempt to use a relevant user account, group or application role that is not allowed access to the private key.

Verify access to the keys is denied.

If unauthorized access is granted to the private key(s), this is a finding.

Vulnerability Number

V-222551

Documentable

False

Rule Version

APSC-DV-001820

Severity Override Guidance

Review the application documentation and interview the application administrator to identify where the application's private key is stored.

If the application does not perform code signing or other cryptographic tasks requiring a private key, this requirement is not applicable.

Ask the administrator to demonstrate where the application private key(s) are stored. Examine access restrictions and ensure access controls are in place to restrict access to the private key(s).

If the key(s) are stored on the file system, ensure adequate file permissions are set so as to only allow authorized users and processes.

If the key(s) are maintained or available via an application interface, ensure the application provides access controls that limit access via the application interface to only authorized users and processes.

Review access controls and attempt to use a relevant user account, group or application role that is not allowed access to the private key.

Verify access to the keys is denied.

If unauthorized access is granted to the private key(s), this is a finding.

Check Content Reference

M

Target Key

4093

Comments