Guidelines for Operating System Security
Follow these guidelines regarding operating system security:
-
There should be a single user identity that runs the KVStore software.
-
The KVStore user should be in its own group, independent of other users.
-
JE log files, audit log files, and password stores should have mode 0600 on Linux/UNIX platforms with equivalent settings for Windows systems. The simplest way to achieve this on Linux/UNIX is to set an umask of 0077.
-
Security configuration files must be write-protected.
-
The KVROOT directory and the security directory must be protected from modification by other users. On UNIX/Linux this should include having the sticky bit (01000) set in order to prevent renaming and deletion of files/directories.
-
Access to the systems that are running KVStore should be limited in order to avoid the risk of tampering.
Note:
Access protections do not guard against users who have sufficiently elevated access rights (for example, the UNIX root user).