canmove, Confirmed users
937
edits
FIPS Operational Environment: Difference between revisions
Jump to navigation
Jump to search
→Configuring Discretionary Access Control
No edit summary |
|||
| Line 5: | Line 5: | ||
==Configuring Discretionary Access Control== | ==Configuring Discretionary Access Control== | ||
On Unix (including Linux and Mac OS X), discretionary access control can be configured by setting the file mode bits of the files | On Unix (including Linux and Mac OS X), discretionary access control can be configured by setting the file mode bits of the files. | ||
Below we describe how to specify the set of roles that can access each component of the NSS module. | Below we describe how to set the file mode bits to specify the set of roles that can access each component of the NSS module. | ||
===Access to Stored Cryptographic Software and Cryptographic Programs=== | ===Access to Stored Cryptographic Software and Cryptographic Programs=== | ||
When installing the NSS library files, the operator shall use the <code>chmod</code> utility to set the file mode bits of the NSS library files to '''0755''', | When installing the NSS library files, the operator shall use the <code>chmod</code> utility to set the file mode bits of the NSS library files to '''0755''' so that all users can execute the NSS library files, but only the files' owner can modify (i.e., write, replace, and delete) the files. For example, | ||
$ chmod 0755 libsoftokn3.so libfreebl3.so | $ chmod 0755 libsoftokn3.so libfreebl3.so | ||
The file mode bits can be verified with the <code>ls</code> utility. For example, | |||
$ ls -l libsoftokn3.so libfreebl3.so | $ ls -l libsoftokn3.so libfreebl3.so | ||
-rwxr-xr-x 1 wtchang wtchang 455411 Jun 8 17:07 libfreebl3.so | -rwxr-xr-x 1 wtchang wtchang 455411 Jun 8 17:07 libfreebl3.so | ||
| Line 28: | Line 28: | ||
The NSS module uses the audit mechanism provided by the operating system to audit events, so the NSS audit data are stored in the system audit log. The system audit log can only be read or modified by the root user. | The NSS module uses the audit mechanism provided by the operating system to audit events, so the NSS audit data are stored in the system audit log. The system audit log can only be read or modified by the root user. | ||
On Red Hat Enterprise Linux 4, the system audit log is in the <code>/var/log/audit</code> directory. This directory and the log files in it have the following permission bits (the following commands were run as the root user; only the root user can run the second command): | |||
# ls -ld /var/log/audit | |||
drwxr-x--- 2 root root 4096 Jun 1 19:50 /var/log/audit | |||
# ls -l /var/log/audit | |||
total 13460 | |||
-rw-r----- 1 root root 3248038 Jun 8 17:50 audit.log | |||
-r--r----- 1 root root 5242886 Jun 1 19:50 audit.log.1 | |||
-r--r----- 1 root root 5242936 May 20 18:01 audit.log.2 | |||
===Entry of Cryptographic Keys and CSPs=== | ===Entry of Cryptographic Keys and CSPs=== | ||
'''N/A'''. NSS does not support manual entry of cryptographic keys and CSPs. | '''N/A'''. NSS does not support manual entry of cryptographic keys and CSPs. | ||