4.1.3 Ensure private key permissions are restricted

Information

The server's private key should be protected from unauthorized access by limiting access based on the principle of least privilege.

Rationale:

A server's private key file should be restricted to 400 permissions. This ensures only the owner of the private key file can access it. This is the minimum necessary permissions for the server to operate. If the private key file is not protected, an unauthorized user with access to the server may be able to find the private key file and use it to decrypt traffic sent to your server.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Run the following command to remove excessive permissions on key files in the '/etc/nginx/ directory.

Note: The directory /etc/nginx/ should be replaced with the location of your key file.

find /etc/nginx/ -name '*.key' -exec chmod u-wx,go-rwx {} +

Default Value:

The default permissions on the server's private key are 644 or -rw-r--r--.

Additional Information:

Important Note: This recommendation should be applied to both the keys of your server certificate and the key of your client certificate if you are looking to mutually authenticate a proxy server.

See Also

https://workbench.cisecurity.org/files/4212