Site security policy is the security policy that an organization sets up to protect its proprietary information. With Trusted Extensions software, labels and mandatory access control (MAC) can be part of this policy. Labels implement a set of rules that is a part of system security policy. System security policy is the set of rules that is enforced by system software to protect information that is being processed on the system. The term security policy can refer to policy or to implementation of the policy.
All systems that are configured with Trusted Extensions have labels. Labels are specified in a label_encodings file. For a description of the file, see the label_encodings(4) man page. For descriptions of the encodings files that are delivered with Solaris Trusted Extensions packages, see Sources for Encodings Files.
Trusted Extensions installs a default version of the label_encodings file. The default version supplies several commercial labels. This version can sometimes be used in non-production environments for learning purposes. A site can also customize one of the label encodings files that are delivered with the Solaris Trusted Extensions packages. For an example of a site-specific file, see Appendix A, Sample Label Encodings File.
Every computer in the Trusted Extensions network needs its own copy of the site's label_encodings file. For interoperability, the label_encodings file on every computer in the network should be compatible. At the very least, each computer should recognize the labels on every other computer in the network.
Certain types of labels must be defined. The security administrator specifies the numeric values and the bits that make up the internal representation of labels. Users and roles see the textual representation of labels. The labeling software translates between the internal form and the textual form of labels. The label_encodings file provides the rules for translating the internal representation of labels to their textual strings. The textual strings can be visible on the desktop. The internal representation is recorded in the audit trail and is interpreted by the praudit command.
The security administrator is the person who defines and plans the implementation of an organization's security policy. The security administrator establishes information-protection procedures, makes sure computer users and administrators are properly trained, and monitors compliance.
The Security Administrator role is created in the software. The role is assigned to one or more administrators who fully understand Trusted Extensions administration. These administrators are cleared to view and to protect the highest level of information that is processed by Trusted Extensions. One of the responsibilities of the security administrator is to create the site's label_encodings file to replace the version that Trusted Extensions installs. The administrator can also decide whether labels are visible on the desktop. Even when labels are not visible, objects and processes on the system are labeled, and MAC is enforced.
Trusted Extensions provides the Security Administrator role with the tools and capabilities to put the organization's security policy into effect. To assume the role, you first log in as an ordinary user, then assume the role. At your site, the security administrator who defines the site's security policy might or might not be the same person who implements the policy.