FIPS Operational Environment

From MozillaWiki
Jump to navigation Jump to search

Maintaining Software Integrity

Describe the checksum (.chk) files.

Configuring Discretionary Access Control

On Unix (including Linux and Mac OS X), discretionary access control can be configured by setting the file mode bits of the files.

Below we describe how to set the file mode bits to specify the set of roles that can access each component of the NSS module.

Access to Stored Cryptographic Software and Cryptographic Programs

When installing the NSS library files, the operator shall use the chmod utility to set the file mode bits of the NSS library files to 0755 so that all users can execute the NSS library files, but only the files' owner can modify (i.e., write, replace, and delete) the files. For example, 

 $ chmod 0755 libsoftokn3.so libfreebl3.so

The file mode bits can be verified with the ls utility. For example, 

 $ ls -l libsoftokn3.so libfreebl3.so
 -rwxr-xr-x  1 wtchang wtchang  455411 Jun  8 17:07 libfreebl3.so
 -rwxr-xr-x  1 wtchang wtchang 1052734 Jun  8 17:07 libsoftokn3.so

Access to Cryptographic Keys, CSPs, and Plaintext Data

Cryptographic keys, CSPs, and plaintext data are stored in the NSS databases. The NSS module creates its database files with the 0600 permission bits, making them readable and writable by the owner only. For example, 

 $ ls -l *.db
 -rw-------  1 wtchang wtchang 65536 May 15 22:16 cert8.db
 -rw-------  1 wtchang wtchang 32768 May 15 22:16 key3.db
 -rw-------  1 wtchang wtchang 32768 May 15 22:15 secmod.db

Access to Audit Data

The NSS module uses the audit mechanism provided by the operating system to audit events, so the NSS audit data are stored in the system audit log. The system audit log can only be read or modified by the root user.

On Red Hat Enterprise Linux 4, the system audit log is in the /var/log/audit directory. This directory and the log files in it have the following permission bits (the following commands were run as the root user; only the root user can run the second command): 

 # ls -ld /var/log/audit
 drwxr-x---  2 root root 4096 Jun  1 19:50 /var/log/audit
 # ls -l /var/log/audit
 total 13460
 -rw-r-----  1 root root 3248038 Jun  8 17:50 audit.log
 -r--r-----  1 root root 5242886 Jun  1 19:50 audit.log.1
 -r--r-----  1 root root 5242936 May 20 18:01 audit.log.2

Entry of Cryptographic Keys and CSPs

N/A. NSS does not support manual entry of cryptographic keys and CSPs.

Retrieved from "https://wiki.mozilla.org/index.php?title=FIPS_Operational_Environment&oldid=27475"