FIPS Operational Environment

From MozillaWiki
Revision as of 00:35, 9 June 2006 by Wtchang (talk | contribs)
Jump to navigation Jump to search

Maintaining Software Integrity

Describe the checksum (.chk) files.

Configuring Discretionary Access Control

On Unix (including Linux and Mac OS X), discretionary access control can be configured by setting the file mode bits of the files. The file mode bits can be set when the files are created. After the files are created, the file mode bits can be changed with the chmod utility.

Below we describe how to specify the set of roles that can access each component of the NSS module.

Access to Stored Cryptographic Software and Cryptographic Programs

When installing the NSS library files, the operator shall use the chmod utility to set the file mode bits of the NSS library files to 0755, making them readable, writable, and executable by the owner; and readable and executable by everyone. For example, 

 $ chmod 0755 libsoftokn3.so libfreebl3.so

In other words, all users can execute the stored cryptographic software, but only the files' owner can modify (i.e., write, replace, and delete) cryptographic programs. The file mode bits can be verified with the ls utility. For example, 

 $ ls -l libsoftokn3.so libfreebl3.so
 -rwxr-xr-x  1 wtchang wtchang  455411 Jun  8 17:07 libfreebl3.so
 -rwxr-xr-x  1 wtchang wtchang 1052734 Jun  8 17:07 libsoftokn3.so

Access to Cryptographic Keys, CSPs, and Plaintext Data

Cryptographic keys, CSPs, and plaintext data are stored in the NSS databases. The NSS module creates its database files with the 0600 permission bits, making them readable and writable by the owner only. For example, 

 $ ls -l *.db
 -rw-------  1 wtchang wtchang 65536 May 15 22:16 cert8.db
 -rw-------  1 wtchang wtchang 32768 May 15 22:16 key3.db
 -rw-------  1 wtchang wtchang 32768 May 15 22:15 secmod.db

Access to Audit Data

The NSS module uses the audit mechanism provided by the operating system to audit events, so the NSS audit data are stored in the system audit log. The system audit log can only be read or modified by the root user.

Entry of Cryptographic Keys and CSPs

N/A. NSS does not support manual entry of cryptographic keys and CSPs.

Retrieved from "https://wiki.mozilla.org/index.php?title=FIPS_Operational_Environment&oldid=27474"