canmove, Confirmed users
937
edits
FIPS Operational Environment: Difference between revisions
Jump to navigation
Jump to search
→Access to Audit Data
| Line 114: | Line 114: | ||
===Access to Audit Data=== | ===Access to Audit Data=== | ||
The NSS cryptographic module may use the Unix <code>syslog()</code> function and the audit mechanism provided by the operating system to audit events. Access to the audit data is described in the next two subsections. | The NSS cryptographic module may use the Unix <code>syslog()</code> function and the audit mechanism provided by the operating system to audit events. (Auditing is not yet implemented on Windows.) Auditing is turned off by default. To turn on the auditing capability, you need to set the environment variable NSS_ENABLE_AUDIT to 1. You also need to configure the operating system's audit mechanism. | ||
Access to the audit data is described in the next two subsections. | |||
====Access to syslog Log Files==== | ====Access to syslog Log Files==== | ||
| Line 138: | Line 140: | ||
====Access to System Audit Log==== | ====Access to System Audit Log==== | ||
To meet the audit requirements of FIPS 140-2 at Security Level 2, on Red Hat Enterprise Linux 4 and Trusted Solaris, the NSS cryptographic module | To meet the audit requirements of FIPS 140-2 at Security Level 2, on Red Hat Enterprise Linux 4 and Trusted Solaris, the NSS cryptographic module also uses the audit mechanism provided by the operating system to audit events. The audit data are stored in the system audit log. Only the root user can read or modify the system audit log. | ||
On Red Hat Enterprise Linux 4, the system audit log is in the <code>/var/log/audit</code> directory. This directory and the log files in it have the following permission bits (the following commands were run as the root user; only the root user can run the second command): | On Red Hat Enterprise Linux 4, the system audit log is in the <code>/var/log/audit</code> directory. This directory and the log files in it have the following permission bits (the following commands were run as the root user; only the root user can run the second command): | ||
| Line 153: | Line 155: | ||
'''Configure the Solaris Auditing:''' | '''Configure the Solaris Auditing:''' | ||
To configure the | To configure the system audit mechanism on Solaris the following administration tasks need to be completed. Create the audit class 'fp', then create the audit event 'AUE_FIPS_AUDIT ' and add the class 'fp' to the audit_control file. | ||
Edit /etc/security/audit_class | Edit /etc/security/audit_class | ||
| Line 170: | Line 172: | ||
On Trusted Solaris 8, auditing is enabled by default; for non-trusted Solaris run: /etc/security/bsmconv (either as root or a user that has been given the Audit Control RBAC profile in Solaris 8) | On Trusted Solaris 8, auditing is enabled by default; for non-trusted Solaris run: /etc/security/bsmconv (either as root or a user that has been given the Audit Control RBAC profile in Solaris 8) | ||
reboot your system. | and reboot your system. | ||
After the system has rebooted, ensure auditd is running: ps -ecf | grep auditd | After the system has rebooted, ensure auditd is running: ps -ecf | grep auditd | ||
| Line 182: | Line 184: | ||
Note: On Trusted Solaris 8 you need to assume a role with the tail and praudit commands with the proc_audit_app1 and proc_audit_tcb privileges. | Note: On Trusted Solaris 8 you need to assume a role with the tail and praudit commands with the proc_audit_app1 and proc_audit_tcb privileges. | ||
You can also view the existing audit files using auditreduce | You can also view the existing audit files using auditreduce. | ||
#cd /var/audit | #cd /var/audit | ||
#auditreduce -m 34444 *not_terminated* | praudit -l | #auditreduce -m 34444 *not_terminated* | praudit -l | ||