FIPS Operational Environment: Difference between revisions
Jump to navigation
Jump to search
Line 5: | Line 5: | ||
==Configuring Discretionary Access Control== | ==Configuring Discretionary Access Control== | ||
On Linux and | On Unix (including Linux and Mac OS X), discretionary access control can be configured by setting the file mode bits of the files. The file mode bits can be set when the files are created. The file mode bits can be changed with the <code>chmod</code> utility.. | ||
When installing the NSS library files, the operator shall use the <code>chmod</code> utility to set the file mode bits of the NSS library files to 0644, making them readable and writable by the owner, and readable by everyone. | |||
<div class=note>'''Note''': on HP-UX, the shared libraries must be executable, so the file mode bits shall be set to 0755.</div> | |||
The NSS module creates its database files with the 0600 permission bits, making them readable and writable by the owner only. | |||
* specify the set of roles that can execute stored cryptographic software: all users. For example, <code>"chmod a+rx libsoftokn3.so"</code>. '''Note''': the read permission is required for the software integrity test. | * specify the set of roles that can execute stored cryptographic software: all users. For example, <code>"chmod a+rx libsoftokn3.so"</code>. '''Note''': the read permission is required for the software integrity test. |
Revision as of 20:59, 8 June 2006
Maintaining Software Integrity
Describe the checksum (.chk) files.
Configuring Discretionary Access Control
On Unix (including Linux and Mac OS X), discretionary access control can be configured by setting the file mode bits of the files. The file mode bits can be set when the files are created. The file mode bits can be changed with the chmod
utility..
When installing the NSS library files, the operator shall use the chmod
utility to set the file mode bits of the NSS library files to 0644, making them readable and writable by the owner, and readable by everyone.
Note: on HP-UX, the shared libraries must be executable, so the file mode bits shall be set to 0755.
The NSS module creates its database files with the 0600 permission bits, making them readable and writable by the owner only.
- specify the set of roles that can execute stored cryptographic software: all users. For example,
"chmod a+rx libsoftokn3.so"
. Note: the read permission is required for the software integrity test. - specify the set of roles that can modify (i.e., write, replace, and delete) cryptographic programs: the owner only. For example,
"chmod u+w libsoftokn3.so; chmod go-w libsoftokn3.so"
. - specify the set of roles that can modify (i.e., write, replace, and delete) cryptographic data (e.g., cryptographic keys and audit data), CSPs, and plaintext data: NSS databases can only be modified by the owner. Audit data can only be modified by the root user.
- specify the set of roles that can read cryptographic data (e.g., cryptographic keys and audit data), CSPs, and plaintext data: NSS databases can only be read by the owner. Audit data can only be read by the root user.
- specify the set of roles that can enter cryptographic keys and CSPs: N/A. NSS does not support manual entry of cryptographic keys and CSPs.