STIGQter: STIG Summary: Application Security and Development Security Technical Implementation Guide Version: 5 Release: 1 Benchmark Date: 23 Oct 2020: STIGQter: STIG Summary: Application Security and Development Security Technical Implementation Guide Version: 5 Release: 1 Benchmark Date: 23 Oct 2020:SV-222551r508029_rule
V-222551
SRG-APP-000176
APSC-DV-001820
CAT I
10
Configure the application or relevant access control mechanism to enforce authorized access to the application private key(s).
Review the application documentation and interview the application administrator to identify where the application's private key is stored.
If the application does not perform code signing or other cryptographic tasks requiring a private key, this requirement is not applicable.
Ask the administrator to demonstrate where the application private key(s) are stored. Examine access restrictions and ensure access controls are in place to restrict access to the private key(s).
If the key(s) are stored on the file system, ensure adequate file permissions are set so as to only allow authorized users and processes.
If the key(s) are maintained or available via an application interface, ensure the application provides access controls that limit access via the application interface to only authorized users and processes.
Review access controls and attempt to use a relevant user account, group or application role that is not allowed access to the private key.
Verify access to the keys is denied.
If unauthorized access is granted to the private key(s), this is a finding.
V-222551
False
APSC-DV-001820
Review the application documentation and interview the application administrator to identify where the application's private key is stored.
If the application does not perform code signing or other cryptographic tasks requiring a private key, this requirement is not applicable.
Ask the administrator to demonstrate where the application private key(s) are stored. Examine access restrictions and ensure access controls are in place to restrict access to the private key(s).
If the key(s) are stored on the file system, ensure adequate file permissions are set so as to only allow authorized users and processes.
If the key(s) are maintained or available via an application interface, ensure the application provides access controls that limit access via the application interface to only authorized users and processes.
Review access controls and attempt to use a relevant user account, group or application role that is not allowed access to the private key.
Verify access to the keys is denied.
If unauthorized access is granted to the private key(s), this is a finding.
M
4093