Follow these guidelines regarding operating system security:
There should be a single user identity that runs the KVStore software.
The KVStore user should be in its own group, independent of other users.
JE log files, audit log files, and password stores should have mode 0600 on Linux/UNIX platforms with equivalent settings for Windows systems. The simplest way to achieve this on Linux/UNIX is to set an umask of 0077.
Security configuration files must be write-protected.
The KVROOT directory and the security directory must be protected from modification by other users. On UNIX/Linux this should include having the sticky bit (01000) set in order to prevent renaming and deletion of files/directories.
Access to the systems that are running KVStore should be limited in order to avoid the risk of tampering.
Access protections do not guard against users who have sufficiently elevated access rights (for example, the UNIX root user).