Canmove, confirm
937
edits
Changes
→Configuring Discretionary Access Control
==Configuring Discretionary Access Control==
On Unix (including Linux and Mac OS X), discretionary access control can be configured by setting the file mode bits of the files. The file mode bits can be set when the files are created. After the files are created, the file mode bits can be changed with the <code>chmod</code> utility.
Below we describe how to set the file mode bits to specify the set of roles that can access each component of the NSS module.
===Access to Stored Cryptographic Software and Cryptographic Programs===
When installing the NSS library files, the operator shall use the <code>chmod</code> utility to set the file mode bits of the NSS library files to '''0755'''so that all users can execute the NSS library files, but only the files' owner can modify (i.e., making them readablewrite, writablereplace, and executable by delete) the owner; and readable and executable by everyonefiles. For example,
$ chmod 0755 libsoftokn3.so libfreebl3.so
$ ls -l libsoftokn3.so libfreebl3.so
-rwxr-xr-x 1 wtchang wtchang 455411 Jun 8 17:07 libfreebl3.so
The NSS module uses the audit mechanism provided by the operating system to audit events, so the NSS audit data are stored in the system audit log. The system audit log can only be read or modified by the root user.
On Red Hat Enterprise Linux 4, the system audit log is in the <code>/var/log/audit</code> directory. This directory and the log files in it have the following permission bits (the following commands were run as the root user; only the root user can run the second command):
# ls -ld /var/log/audit
drwxr-x--- 2 root root 4096 Jun 1 19:50 /var/log/audit
# ls -l /var/log/audit
total 13460
-rw-r----- 1 root root 3248038 Jun 8 17:50 audit.log
-r--r----- 1 root root 5242886 Jun 1 19:50 audit.log.1
-r--r----- 1 root root 5242936 May 20 18:01 audit.log.2
===Entry of Cryptographic Keys and CSPs===
'''N/A'''. NSS does not support manual entry of cryptographic keys and CSPs.
