Follow these guidelines regarding operating system security:

• There should be a single user identity that runs the KVStore software.

• The data store user should be in its own group, independent of other users.

• JE log files, audit log files, and password stores should have mode 0600 on Linux/UNIX platforms with equivalent settings for Windows systems. The simplest way to achieve this on Linux/UNIX is to set an umask of 0077.

• Security configuration files must be write-protected.

• The $KVROOT directory and the security directory must be protected from modification by other users. On UNIX/Linux this should include having the sticky bit (01000) set in order to prevent renaming and deletion of files/directories.

• Access to the systems that are running the data store should be limited in order to avoid the risk of tampering.

  Note:

  Access protections do not guard against users who have sufficiently elevated access rights (for example, the UNIX root user).