FIPS Operational Environment: Difference between revisions
| Line 5: | Line 5: | ||
==Configuring Discretionary Access Control== | ==Configuring Discretionary Access Control== | ||
On Unix (including Linux and Mac OS X), discretionary access control can be configured by setting the file mode bits of the files. The file mode bits can be set when the files are created. | On Unix (including Linux and Mac OS X), discretionary access control can be configured by setting the file mode bits of the files. The file mode bits can be set when the files are created. After the files are created, the file mode bits can be changed with the <code>chmod</code> utility. | ||
Below we describe how to specify the set of roles that can access each component of the NSS module. | |||
===Stored Cryptographic Software and Cryptographic Programs=== | |||
When installing the NSS library files, the operator shall use the <code>chmod</code> utility to set the file mode bits of the NSS library files to '''0755''', making them readable, writable, and executable by the owner; and readable and executable by everyone. For example, | |||
$ chmod 0755 libsoftokn3.so libfreebl3.so | |||
In other words, all users can execute the stored cryptographic software, but only the files' owner can modify (i.e., write, replace, and delete) cryptographic programs. The file mode bits can be verified with the <code>ls</code> utility. For example, | |||
$ ls -l libsoftokn3.so libfreebl3.so | |||
-rwxr-xr-x 1 wtchang wtchang 455411 Jun 8 17:07 libfreebl3.so | |||
-rwxr-xr-x 1 wtchang wtchang 1052734 Jun 8 17:07 libsoftokn3.so | |||
===Cryptographic Keys, CSPs, and Plaintext Data=== | |||
The NSS module creates its database files with the '''0600''' permission bits, making them readable and writable by the owner only. | |||
===Audit Data=== | |||
The operating system enforces that audit data can only be read or modified by the root user. | |||
===Entry of Cryptographic Keys and CSPs=== | |||
'''N/A'''. NSS does not support manual entry of cryptographic keys and CSPs. | |||
Revision as of 00:24, 9 June 2006
Maintaining Software Integrity
Describe the checksum (.chk) files.
Configuring Discretionary Access Control
On Unix (including Linux and Mac OS X), discretionary access control can be configured by setting the file mode bits of the files. The file mode bits can be set when the files are created. After the files are created, the file mode bits can be changed with the chmod utility.
Below we describe how to specify the set of roles that can access each component of the NSS module.
Stored Cryptographic Software and Cryptographic Programs
When installing the NSS library files, the operator shall use the chmod utility to set the file mode bits of the NSS library files to 0755, making them readable, writable, and executable by the owner; and readable and executable by everyone. For example,
$ chmod 0755 libsoftokn3.so libfreebl3.so
In other words, all users can execute the stored cryptographic software, but only the files' owner can modify (i.e., write, replace, and delete) cryptographic programs. The file mode bits can be verified with the ls utility. For example,
$ ls -l libsoftokn3.so libfreebl3.so -rwxr-xr-x 1 wtchang wtchang 455411 Jun 8 17:07 libfreebl3.so -rwxr-xr-x 1 wtchang wtchang 1052734 Jun 8 17:07 libsoftokn3.so
Cryptographic Keys, CSPs, and Plaintext Data
The NSS module creates its database files with the 0600 permission bits, making them readable and writable by the owner only.
Audit Data
The operating system enforces that audit data can only be read or modified by the root user.
Entry of Cryptographic Keys and CSPs
N/A. NSS does not support manual entry of cryptographic keys and CSPs.