Glossary

A set of sensitivity labels that are approved for a class of users or resources. A set of valid labels. See also system accreditation range and user accreditation range.

A role that gives required authorizations, privileged commands, privileged actions, and the Trusted Path security attribute to allow the role to perform administrative tasks. Roles perform a subset of Solaris superuser's capabilities, such as backup or auditing.

A mechanism by which access to a device is controlled. See device allocation.

In CDE, the search path is used by the system to find applications and certain configuration information. The application search path is controlled by a trusted role.

A right granted to a user or role to perform an action that would otherwise not be allowed by security policy. Authorizations are granted in rights profiles. Certain commands require the user to have certain authorizations to succeed. For example, to print a PostScript file requires the Print Postscript authorization.

See Common Desktop Environment.

Common IP Security Option. CIPSO is the label standard that Trusted Extensions implements.

The upper limit of the set of labels at which a user can work. The lower limit is the minimum label that is assigned by the security administrator. A clearance can be one of two types, a session clearance or a user clearance.

A system connected to a network.

A network of systems that are configured with Trusted Extensions. The network is cut off from any non-Trusted Extensions host. The cutoff can be physical, where no wire extends past the Trusted Extensions network. The cutoff can be in the software, where the Trusted Extensions hosts recognize only Trusted Extensions hosts. Data entry from outside the network is restricted to peripherals attached to Trusted Extensions hosts. Contrast with open network.

The historical windowing environment for administering Trusted Extensions software. Trusted Extensions modifies the environment to create Trusted CDE. The Sun Java^TM Desktop System is also modified to create a Trusted JDS.

An optional setup file on a multilabel system. This file contains a list of startup files, such as .cshrc or .mozilla, that the user environment or user applications require in order for the system or application to behave well. The files that are listed in .copy_files are then copied to the user's home directory at higher labels, when those directories are created. See also .link_files file.

See discretionary access control.

Devices include printers, computers, tape drives, floppy drives, CD-ROM drives, DVD drives, audio devices, and internal pseudo terminal devices. Devices are subject to the read equal write equal MAC policy. Access to removable devices, such as DVD drives, are controlled bydevice allocation.

A mechanism for protecting the information on an allocatable device from access by anybody except the user who allocates the device. Until a device is deallocated, no one but the user who allocated a device can access any information that is associated with the device. For a user to allocate a device, that user must have been granted the Device Allocation authorization by the security administrator.

The type of access that is granted or that is denied by the owner of a file or directory at the discretion of the owner. Solaris Trusted Extensions provides two kinds of discretionary access controls (DAC), UNIX permission bits and ACLs.

A part of the Internet naming hierarchy. It represents a group of systems on a local network that share administrative files.

The identification of a group of systems on a local network. A domain name consists of a sequence of component names separated by periods (for example: example1.town.state.country.org). As you read a domain name from left to right, the component names identify more general, and usually remote, areas of administrative authority.

One or more Trusted Extensions hosts that are running in a configuration that has been certified as meeting specific criteria by a certification authority. In the United States, those criteria are the TCSEC. The evaluating and certifying body is the NSA. Solaris Trusted Extensions software will be certified to the Common Criteria v2.1 [August 1999], an ISO standard, to Evaluation Assurance Level (EAL) 4, and against a number of protection profiles.

The Common Criteria v2 (CCv2) and protection profiles make the earlier TCSEC U.S. standard obsolete through level B1+. A mutual recognition agreement for CCv2 has been signed by the United States, the United Kingdom, Canada, Denmark, the Netherlands, Germany, and France.

The Trusted Extensions configuration target provides functionality that is similar to the TCSEC C2 and B1 levels, with some additional functionality.

A collection of files and directories that, when set into a logical hierarchy, make up an organized, structured set of information. File systems can be mounted from your local system or a remote system.

Government Furnished Information. In this manual, it refers to a U.S. government-provided label_encodings file. In order to use a GFI with Trusted Extensions software, you must add the Sun-specific LOCAL DEFINITIONS section to the end of the GFI. For details, see Chapter 5, Customizing LOCAL DEFINITIONS, in Solaris Trusted Extensions Label Administration.

The name by which a system is known to other systems on a network. This name must be unique among all the systems within a given domain. Usually, a domain identifies a single organization. A host name can be any combination of letters, numbers, and minus sign (−), but it cannot begin or end with a minus sign.

The minimum label assigned to a user or role, and the label of the user's initial workspace. The initial label is the lowest label at which the user or role can work.

A team of at least two people who together oversee the installation and configuration of Solaris Trusted Extensions software. One team member is responsible for security decisions, and the other for system administration decisions.

Internet protocol address. A unique number that identifies a networked system so it can communicate by means of Internet protocols. In IPv4, the address consists of four numbers separated by periods. Most often, each part of the IP address is a number between 0 and 225. However, the first number must be less than 224 and the last number cannot be 0.

IP addresses are logically divided into two parts: the network, and the system on the network. The network number is similar to a telephone area code. In relation to the network, the system number is similar to a phone number.

A security identifier that is assigned to an object. The label is based on the level at which the information in that object should be protected. Depending on how the security administrator has configured the user, a user can see the sensitivity label, or no labels at all. Labels are defined in the label_encodings file.

A Trusted Extensions installation choice of single-label or multilabel sensitivity labels. In most circumstances, label configuration is identical on all systems at your site.

The file where the complete sensitivity label is defined, as are accreditation ranges, label view, default label visibility, default user clearance, and other aspects of labels.

A set of sensitivity labels that are assigned to commands, zones, and allocatable devices. The range is specified by designating a maximum label and a minimum label. For commands, the minimum and maximum labels limit the labels at which the command can be executed. Remote hosts that do not recognize labels are assigned a single sensitivity label, as are any other hosts that the security administrator wants to restrict to a single label. A label range limits the labels at which devices can be allocated and restrict the labels at which information can be stored or processed when using the device.

See security label set.

A labeled host sends network packets that are labeled with CIPSO labels. All Trusted Extensions hosts are labeled hosts.

An optional setup file on a multilabel system. This file contains a list of startup files, such as .cshrc or .mozilla, that the user environment or user applications require in order for the system or application to behave well. The files that are listed in .link_files are then linked to the user's home directory at higher labels, when those directories are created. See also .copy_files file.

See mandatory access control.

Access control that is based on comparing the sensitivity label of a file, directory, or device to the sensitivity label of the process that is trying to access it. The MAC rule, read equal–read down, applies when a process at one label attempts to read a file at a lower label. The MAC rule, write equal-read down, applies when a process at one label attempts to write to a directory at another label.

The lower bound of a user's sensitivity labels and the lower bound of the system's sensitivity labels. The minimum label set by the security administrator when specifying a user's security attributes is the sensitivity label of the user's first workspace at first login. The sensitivity label that is specified in the minimum label field by the security administrator in the label_encodings file sets the lower bound for the system.

A distributed network database that contains key system information about all the systems on a network, so that the systems can communicate with each other. With a naming service, the system information can be maintained, managed, and accessed on a network-wide basis. Sun supports the LDAP naming service. Without such a service, each system has to maintain its own copy of the system information in the local /etc files.

A group of systems that are connected through hardware and software, sometimes referred to as a local area network (LAN). One or more servers are usually needed when systems are networked.

Computers that are not connected to a network or do not rely on other hosts.

A network of Solaris Trusted Extensions hosts that is connected physically to other networks and that uses Trusted Extensions software to communicate with non-Trusted Extensions hosts. Contrast with closed network.

When software that has been proved to be able satisfy the criteria for an evaluated configuration, is configured with settings that do not satisfy security criteria, the software is described as being outside the evaluated configuration.

A type of discretionary access control in which the owner specifies a set of bits to signify who can read, write, or execute a file or directory. Three different sets of permissions are assigned to each file or directory: one set for the owner, one set for the owner's group, and one set for all others.

The person who is entrusted to create new rights profiles for the organization, and to fix machine difficulties that are beyond the power of the security administrator and system administrator combined. This role should be assumed rarely. After initial security configuration, more secure sites can choose not to create this role, and not to assign any role the Primary Administrator profile.

Powers that are granted to a process that is executing a command. The full set of privileges describes the full capabilities of the system, from basic capabilities to administrative capabilities. Privileges that bypass security policy, such as setting the clock on a system, can be granted by a site's security administrator.

An action that executes a command on behalf of the user who invokes the command. A process receives a number of security attributes from the user, including the user ID (UID), the group ID (GID), the supplementary group list, and the user's audit ID (AUID). Security attributes received by a process include any privileges that are available to the command being executed and the sensitivity label of the current workspace.

A special shell that recognizes privileges. A profile shell typically limits users to fewer commands, but can allow these commands to run with privilege. The profile shell is the default shell of a trusted role.

A different system than the local system. A remote host can be an unlabeled host or a labeled host.

A bundling mechanism for commands and CDE actions and for the security attributes that are assigned to these executables. Rights profiles allow Solaris administrators to control who can execute which commands and to control the attributes these commands have when they are executed. When a user logs in, all rights assigned to that user are in effect, and the user has access to all the commands, CDE actions, and authorizations assigned in all of that user's rights profiles.

A role is like a user, except that a role cannot log in. Typically, a role is used to assign administrative capabilities. Roles are limited to a particular set of commands and CDE actions. See administrative role.

In an organization where sensitive information must be protected, the person or persons who define and enforce the site's security policy. These persons are cleared to access all information that is being processed at the site. In software, the Security Administrator administrative role is assigned to one or more individuals who have the proper clearance. These administrators configure the security attributes of all users and hosts so that the software enforces the site's security policy. In contrast, see system administrator.

An attribute that is used to enforce Trusted Extensions security policy. Various sets of security attributes are assigned to processes, users, zones, hosts, allocatable devices, and other objects.

Specifies a discrete set of security labels for a tnrhtp database entry. Hosts that are assigned to a template with a security label set can send and receive packets that match any one of the labels in the label set.

On a Trusted Extensions host, the set of DAC, MAC, and labeling rules that define how information can be accessed. At a customer site, the set of rules that define the sensitivity of the information being processed at that site and the measures that are used to protect the information from unauthorized access.

A security label that is assigned to an object or a process. The label is used to limit access according to the security level of the data that is contained.

A Java-based administrative GUI that contains toolboxes of administrative programs. In Trusted CDE, this GUI can be launched from the Application Manager. Most system, network, and user administration is done by using the Console toolboxes.

Generic name for a computer. After installation, a system on a network is often referred to as a host.

The set of all valid labels that are created according to the rules that the security administrator defines in the label_encodings file, plus the two administrative labels that are used on every system that is configured with Trusted Extensions. The administrative labels are ADMIN_LOW and ADMIN_HIGH.

In Trusted Extensions, the trusted role assigned to the user or users who are responsible for performing standard system management tasks such as setting up the non-security-relevant portions of user accounts. In contrast, see security administrator.

The trusted network remote host database. This database assigns a set of label characteristics to a remote host. The database is accessible either as a file in /etc/security/tsol/tnrhdb or from the LDAP server.

The trusted network remote host template. This database defines the set of label characteristics that a remote host can be assigned. The database is accessible either as a file in /etc/security/tsol/tnrhtp, or from the LDAP server.

A collection of programs in the Solaris Management Console. On a Trusted Extensions host, administrators use Policy=TSOL toolboxes. Each toolbox has programs that are usable in the scope of the toolbox. For example, the Trusted Network Zones tool, which handles the system's tnzonecfg database, exists only in the Files toolbox, because its scope is always local. The User Accounts program exists in all toolboxes. To create a local user, the administrator uses the Files toolbox, and to create a network user, the administrator uses the LDAP toolbox.

tnrhtp, the trusted network remote host template and tnrhdb, the trusted network remote host database together define the remote hosts that a Trusted Extensions system can communicate with.

See administrative role.

A region that cannot be spoofed. In Trusted CDE, the trusted stripe is at the bottom of the screen, and in Trusted JDS the stripe can be at the top. The stripe provides visual feedback about the state of the window system: a trusted path indicator and window sensitivity label. When sensitivity labels are configured to not be viewable for a user, the trusted stripe is reduced to an icon that displays only the trusted path indicator.

The /usr/sbin/txzonemgr script provides a simple GUI for managing labeled zones. The script provides contextual menus with appropriate choices. txzonemgr is run by root in the global zone.

A system that sends unlabeled network packets, such as a system that is running the Solaris OS.

The set of all possible labels at which a regular user can work on the system. The site's security administrator specifies the range in the label_encodings file file. The rules for well-formed labels that define the system accreditation range are additionally restricted by the values in the ACCREDITATION RANGE section of the file: the upper bound, the lower bound, the combination constraints and other restrictions.

The clearance assigned by the security administrator that sets the upper bound of the set of labels at which a user can work at any time. The user can decide to accept the default, or can further restrict that clearance during any particular login session.