The strongkey credential is the only one that has direct access to cryptographic keys. This access is enabled through the web service application that provides FIDO services to requesting applications.
While the strongkey credential does not require any other privileged access on the system (that may compromise the system), it must be protected as diligently as the privileged root account of the system.
The following controls can help protect the strongkey account:
Measure Taken |
Justification |
||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Setup an unlock account on the Linux system (if it hasn't already been created for controlling the root account). |
This account becomes the fail-safe measure to recover access to the strongkey account in the event it is needed for extraordinary administrative actions. |
||||||||||||
Add the unlock account to /etc/sudoers with the ability to unlock the root account. |
Replace the <FQDN> with the fully qualified domain name of the SKFS server: unlock <FQDN>=/usr/sbin/usermod --unlock strongkey
|
||||||||||||
Add the normal Linux account of the Systems Administrator to /etc/sudoers to perform SKFS-specific SA tasks (as defined by company policy). |
This ensures that SAs can perform their day-to-day jobs with the SKFS software—backup, restore, log management, performance management, patching, etc. These accounts must be the only legitimate means of managing the SKFS software. For tighter control, depending on company policy, sites may add multi-factor authentication tokens to the system to ensure only legitimate SAs with two-factor tokens can login into SA accounts on SKFS. |
||||||||||||
Add these watches to audit modifications to various configuration files. |
This first watch listed below will monitor for writes, appends, and reads of the /etc/sudoers file and log them. Logged records can be searched with the filter key sudoers. The second will watch for executions of the sudo command and log them with a filter key of sudo-exec. auditd should be turned on to monitor access to the sudo command for appropriate authorities for review (third-party reporting tools may also be used for this purpose, if desired). The generic auditctl command is: auditctl -w <file> -pwar -k <filter key>
|
||||||||||||
Finally, lock the strongkey account on the system:he effect of disabling the strongkey account so no one can gain access to the account. |
/usr/sbin/usermod --lock strongkey |