Chapter 4 Elements of the Trusted Solaris Environment

After you have successfully completed the login process, you can work within the Trusted Solaris environment, subject to the restrictions of your clearance, authorizations, and your choice of a single-level or multilevel session. This chapter explains the key elements in the Trusted Solaris environment. The chapter discusses these topics:

• "Basic Trusted Solaris Environment"

• "Label Displays in the Trusted Solaris Environment"

• "Trusted Stripe"

• "Front Panel"

• "Trusted Path Menu"

• "Other Trusted Solaris Environment Features"

Basic Trusted Solaris Environment

There are four major differences between the Trusted Solaris environment (see figure below) and the standard Solaris environment:

Figure 4-1 Basic Trusted Solaris Environment

• Label displays - All windows, workspaces, files, and applications have a label (which may be visible or hidden) associated with them. The graphical interface provides stripes and other indicators for viewing an entity's labels.

• Trusted stripe - A special graphical security mechanism called the trusted stripe is always displayed at the bottom of the screen.

• Limited access to applications from Front Panel - The Front Panel provides access to only those applications permitted in your user account.

• Trusted Path menu - The switch area in the Front Panel lets you access the Trusted Path popup menu for performing security-related tasks.

Label Displays in the Trusted Solaris Environment

As discussed in "Mandatory Access Control", all applications and files in the Trusted Solaris environment have labels (which may be hidden or visible) associated with them. The Trusted Solaris environment displays these labels in:

• window label stripes - above the window title bar

• window icon label stripes - under the minimized window

• the trusted stripe - in the Window Label indicator

• Query window label indicator - Trusted Path menu operation that displays the label of the window or icon specified by the pointer location

The following figure shows how labels display in an environment configured to display labels. It also shows the pointer and indicator when you select Query Window. (Labels appear inside square brackets ([]) .)

Figure 4-2 Window Labels in the Trusted Solaris Environment

A site can also be configured to hide labels, as shown in the following figure.

Figure 4-3 Trusted Stripe with Labels Suppressed

Trusted Stripe

The trusted stripe appears in a reserved area at the bottom of the screen in all Trusted Solaris sessions. Its purpose is (1) to give you a visual confirmation that you are in a legitimate Trusted Solaris session, (2) to let you know when you are interacting with the trusted computing base, and (3) to indicate the labels of your current workspace and window. The trusted stripe cannot be moved or obscured by other windows or dialog boxes. There are potentially two elements of the trusted stripe (depending on your site configuration):

• The trusted path symbol is required.

• The Window Label is optional.

Trusted Path Symbol

Whenever you access any portion of the trusted computing base, the trusted path symbol appears at the left of the trusted stripe area. (If your configuration suppresses labels, then the trusted path symbol appears with the trusted stripe to the left of the Front Panel as shown in the previous figure.) The trusted path symbol is not displayed when the pointer is focused in a window or area of the screen that does not affect security. The trusted path symbol cannot be forged; if you see it, you can be sure that you are safely interacting with the trusted computing base.

---

Caution -

If the trusted stripe is missing from your window environment (other than when you lock your screen) or if the trusted path symbol is missing when you are attempting a security-related action, notify your Trusted Solaris administrator at once; there is a serious problem with your system. If the trusted stripe is visible when you lock your screen, this may be a problem as well.

---

Window Label Indicator

The Window Label indicator displays the label of the active window (that is the window that has the pointer focus). If you are working at one label at a time, this may be stating the obvious. However, in a multilevel session, it is possible to have windows with different labels in the same workspace. For an example, see "Tour: Occupying Workspaces with Applications at Different Labels".

Front Panel

The Trusted Solaris front panel is very similar to the one used in standard CDE. It is more limited in that it provides access to only those applications, files, and utilities permitted that you are allowed to use. The major operational difference is that clicking the right mouse button anywhere in the workspace switch area causes a special pop-up menu called the Trusted Path (TP) menu to be displayed. Another difference is that before you can access a device through the Removable Media Manager, that device must be allocated using the Device Allocation Manager. The Device Allocation Manager is accessed from the Tools subpanel, which is above the Style Manager icon in the Front Panel.

If you minimize the front panel, you can restore it by clicking anywhere in the Trusted Stripe, double-clicking the minimized front panel icon, or selecting Minimize/Restore Front Panel from the Workspace menu.

In the Trusted Solaris environment, Install Icon dropsites are limited to applications and files permitted in your user account and subject to any limitations on the particular application. For example, an application may not be operational below a set label.

Workspace Switch Area

In the Trusted Solaris environment, the workspace buttons not only define separate workspaces but let you work at different labels if you are conducting a multilevel session (in a single-level session, you can only operate at one label). When you begin a multilevel session, each workspace is set to the lowest label assigned to you. If your administrator has color-coded workspace buttons by classification, the workspace buttons will appear in the appropriate color.

To change to a workspace at a different label, you click the right mouse button over the workspace button and select Change Workspace Label. This causes a label builder to be displayed in which you enter the new label. You can then click the workspace button to work at the new label. Note that the Occupy Workspace and Occupy All Workspaces selections in the window menus let you display windows with different labels in the same workspace.

Clock

The clock works exactly the same as in the standard CDE environment. In the Trusted Solaris environment, however, only an administrator can change the date and time for your workstation.

Calendar

The calendar shows the appointments for you at the label of your current workspace only. To view appointments at a different label, you need to change to a workspace at that label if you are in a multilevel session or log out and back in if you are in a single-level session.

File Manager

In the Trusted Solaris environment, the File Manager has certain limitations on the files (and folders) that it can display. The File Manager displays files at the label of the current workspace. To operate on (or view) files at more than one label at a time, you run the File Manager from workspaces at different labels and then use the Occupy Workspace command to display the different File Managers in the same workspace.

The File Manager lets you change a file or folder's basic permissions, access control list (ACL), and information. You can also move, copy, or link files between File Managers at different labels. For more information on the File Manager and its capabilities, see Chapter 5, Managing Files and Directories.

You can view (but not write to) files and directories that are not at your current workspace label by specifying a pathname with adornments, as in /.MLD.myHomeDir/.SLD.0. However, you can only write to files and directories dominated by your current workspace label.

Text Editor

The Text Editor can edit files at the label of the current workspace only. If you need to move data from a Text Editor to a file at a different label, you change a workspace label, open the Text Editor at the second label, and copy the text in one Text Editor and paste it in the other.

Personal Applications Subpanel

The default applications in the personal applications operate basically the same as in the standard CDE environment. The terminal icon launches the default shell assigned to you by your administrator. When you use a web browser, the label of the browser must be the same as the label of the web server.

Mailer

In the Trusted Solaris environment, all mail messages are assigned a label. The Mailer sorts incoming mail by label and role and displays separate mail notifier icons in its subpanel (see figure below). This feature lets you focus on mail at labels of interest to you and defer reading mail at other labels. The Mailer operates at one label at a time only. Clicking the Mailer icon in the Front Panel opens the Mailer at the label of the current workspace; clicking a Mailer icon with a label in the subpanel opens the Mailer at that label.

Figure 4-4 Mail Notifier Icons in the Mail Subpanel

When you send mail, the mail will go out at the label of the mail tool in which you compose the message. Only hosts and users that are cleared for that label will receive this mail.

If you need to use the vacation message option in the Mailer, you must explicitly enable vacation message replies for each label at which you typically receive mail. Check with your security administrator for your site's security policy for vacation messages.

The CDE Mailer is supplied by default. If you prefer a different mail application, contact your administrator to ensure that your preferred mail application is installed properly. Although you can install a different mail application by dropping its icon on the Install Icon dropsite in the subpanel, you will lose the notification-by-label feature.

Printer

The Print Manager in the Personal Printers subpanel displays icons for all printers accredited up to your clearance. However, you can use only those printers accredited to print documents at the label of the current workspace.

A typical print job in the Trusted Solaris environment includes:

• banner page at the beginning of the print job - identifying the print job, handling instructions and labels appropriate to the site

• labeled pages - with labels in the heading and footer

• trailer page at the end of the print job - signalling the end of the job

A typical banner page appears in the following figure. The words "JOB START" indicate the banner page.

Figure 4-5 Typical Print Banner Page

For the exact security information regarding printing at your site, please see your administrator.

Desktop Style Manager

The Desktop Style Manager operates in the same manner as in standard Solaris with two exceptions:

• The Screen Blanker and Screen Lock options are limited. Your administrator specifies the maximum amount of time that your system can be idle prior to being secured. You can reduce the idle time but cannot increase it above the maximum. You can still choose a pattern for when the screen is locked. See your administrator if you are not familiar with the policy at your site.

• The Startup control sets your startup session settings according to the label or clearance that you specify at login. Thus, you can have a different session defined for each label in your account label range.

Application Manager

The Application Manager provides access to only those applications and utilities that have been assigned to you by your administrator. If you can assume a role, you will have access to a different set of applications and capabilities. Remember that the ability of a function to operate on a file depends on the label of the current workspace.

Similarly, although you can add applications to the Personal Application submenu by dropping icons onto the Install Icon dropsite, you can only run them if your administrator has assigned these applications to you.

Trash Can

In the Trusted Solaris environment, the trash can stores files to be deleted by label. Although you can drop files at any label in the trash can, it displays files at the current label only. You cannot view files that are in the trash can at other labels. It is good practice to use the Shred selection from the File menu in the trash can window to delete sensitive information as soon as you put it in the trash can.

Trusted Path Menu

The Trusted Path (TP) menu can be accessed by holding down the right mouse button in the switch area of the Front Panel. The Trusted Path menu adds the following menu items in addition to the normal switch menu items:

• Change Workspace Label--changes the label of a workspace so that you can work at a different label (only displayed when the pointer is over a workspace button).

• Assume role Role--lets you assume a role assigned to your user account.

• Change Password--lets you change passwords in accordance with your site's security policy.

• Allocate Device--displays the Allocation Manager so that you can allocate a device for use.

• Query Window Label--lets you determine the label of the next window you click in.

• Shutdown--lets you reboot the system if you are permitted by your site's security policy.

Add Workspace

Add Workspace lets you add another button to the switch area for accessing another workspace. This operates similarly to the standard version of CDE, except that the new workspace button takes on the security characteristics of the workspace under the pointer or, if the pointer is not over a workspace button, the characteristics of your minimum label.

Delete

Delete lets you remove a workspace from the switch area just as in standard Solaris CDE. It is good practice to quit all applications in a workspace prior to closing it; otherwise these applications may continue to run invisibly or in a different workspace.

Rename

Rename lets you rename a workspace from the switch area just as in standard Solaris CDE. The text in the workspace button becomes editable and lets you enter a new name.

Change Workspace Label

Change Workspace Label lets you change the label of a workspace to any label between the minimum label assigned to you and your current session clearance (for multilabel sessions only). When you choose Change Workspace Label, a label builder dialog box is displayed. After you enter a new label, the label (and if implemented the color) of the workspace button changes. When you click on the workspace button, you enter a session at the new label.

Role Assumption Selections

Assume <site-specific> Role lets you change roles. Remember that a role is a special user account that gives you access to certain applications and the authorization(s) you need to run these applications. The administrator at your site assigns roles. If your account has not been assigned any roles, the assume role selections do not appear in the Trusted Path menu.

When you make a role assumption selection, a dialog box is displayed requesting the password for the role (see figure below). After successfully entering the password, a workspace button with the role name is displayed and you are shifted to this workspace. The role workspace provides you with the special set of applications, privileges, authorizations, and the UID assigned to this role. Remember that for auditing purposes your user account UID is attached to all transactions you make while in this role.

Figure 4-6 Role Password Dialog Box

Change Password

Change Password lets you change your password. Frequently changing passwords shortens the window of opportunity for intruders using illegally obtained passwords; thus, your site's policy may require you to change your password regularly. Your administrator has a number of options for changing your password:

• minimum number of days between changes - prevents you or anyone else from changing your password for a set number of days.

• maximum number of days between changes - requires you to change your password after a set number of days.

• maximum number of inactive days - locks your account after the set number of days of inactivity if the password has not been changed

• expiration date - requires you to change your password by a specific date

If your administrator has implemented one of the options requiring you to change your password, you should receive a message warning you to change your password prior to the cutoff date. You will be required to change your password by one of two methods, depending on your site's security policy

• Direct entry

• Choosing from a list of system-generated passwords

To Change Passwords by Direct Entry

1. Select Change Password from the Trusted Path menu.

   You access the Trusted Path menu by holding down the right mouse button while the pointer is over the switch area in the Front Panel.

2. Choose a new password.

   It must meet the following criteria:

   • The password must be 8 characters in length. (More than 8 characters can be entered but only the first 8 characters are significant.)

   • The password must contain at least two alphabetic characters and at least one numeric or special character.

   • The new password must differ from your previous password; you cannot use a reverse or circular shift of the previous password. (For this comparison, upper case letters and lower case letters are considered to be equal.)

   • The new password must have at least three characters different from the old. (For this comparison, upper case letters and lower case letters are considered to be equal.)

   • It should be difficult to guess. Do not use a common word or a proper name, as individuals attempting to break into an account occasionally use lists to try to guess users' passwords.

3. Type your old password in the Change Password dialog box and click OK.

   Figure 4-7 Change Password Dialog Box

   
   

   This confirms that you are the legitimate user associated with this user name. For the sake of security, the password is not displayed as you type it.

   ---

   Caution -

   When you enter your password, make sure that the cursor is over the Change Password dialog box and that the trusted path symbol is displayed. If the cursor is not over the dialog box, you can inadvertently type your password into a different window where it could be seen by another user. If the symbol is not displayed, then someone may be attempting to steal your password and you should notify your security administrator at once.

   ---

4. Type the new password in the Change Password Confirmation dialog box and click OK.

   Figure 4-8 Change Password Confirmation Dialog Box

   
   

5. Type the new password in the Change Password Reconfirmation dialog box and click OK.

   Figure 4-9 Change Password Reconfirmation Dialog Box

   
   

   This step confirms your choice.

6. Click the OK button in the dialog box (not shown) that notifies you that the change has been made.

To Change Passwords by Choosing from a List

Your administrator has the option to require users to select new passwords from lists of system-generated passwords. Trusted Solaris 8 generates passwords that are pronounceable but difficult for intruders to guess.

1. Select Change Password from the Trusted Path menu.

   A dialog box requesting your current password is displayed (see Figure 4-7). After you enter your password and click OK, a dialog box similar to the one shown below is displayed (if your system is configured for system-generated entry). The Password Generator dialog box provides you with a choice of five unique system-generated passwords. The pronunciation mnemonic shown in parentheses to the right of each password divides the password into syllables to make it easier to remember.

   Figure 4-10 Password Generator Dialog Box

   
   

2. Read the five password choices.

   1. If you want to use one of these choices, enter it in the confirmation field and press Enter or click OK.

      This step establishes your choice.

   2. If you want to select from a different set of choices, leave the confirmation field blank and press Enter or click OK.

      This step causes five new selections to be displayed. If one of these selections is suitable, enter that choice and press Return or click OK; otherwise repeat this step to get five new selections.

3. After you are prompted for the password again, re-enter your choice in the confirmation field and press Enter or click OK.

   This step confirms the spelling of your choice and gives you practice at entering it. It closes the dialog box.

To Choose a Password from a List at the Command Line

A command line version of the password generator is provided as an alternative to the Password Generator Dialog Box. Note that this version is available to users in administrative roles only.

1. Type passwd

   A set of five generated password choices as follows.

   Select password from list: rocskovi [ rocs-kov-i ] phuzpeca [ phuz-pec-a ] bephzoba [ beph-zo-ba ] eblircit [ e-blirc-it ] yeaskedo [ yeas-ke-do ] Type password to confirm, or Return for more choices:

2. Read the five password choices.

   1. If you want to use one of these choices, enter it and press Enter.

      This step establishes your choice.

   2. If you want to select from a different set of choices, press Enter without making an entry.

      This step causes five new selections to be displayed. If one of these selections is suitable, enter that choice and press Return; otherwise repeat this step to get five new selections.

3. After you are prompted for the password again, re-enter your choice in the confirmation field and press Enter.

   This step confirms the spelling of your choice and gives you practice at entering it.

Allocate Device

Allocate Device is available to authorized users only. It lets you mount and allocate a device so that you can securely move data on or off the system to another medium. If you try to use a device without allocating it, you will get the error message "Permission Denied."

To Allocate a Device

1. A) Select Allocate Device from the Trusted Path menu.

   This step causes the Device Allocation Manager to be displayed.

   OR

1. B) Select Device Allocation Manager from the Tools subpanel in the Front Panel.

   This is an alternative step for displaying the Device Allocation Manager (see below).

   Figure 4-11 Device Allocation Manager

   
   

2. Look in the available device list for the device you wish to use.

   The devices that you are permitted to allocate at your current label appear in this list. Table 4-1 shows some typical device names.

   Table 4-1 Device Name Abbreviations

   Abbreviated Device Name	Long Version of Device Name
   audio	microphone and speakers
   floppy_0	floppy drive
   mag_tape_0	tape drive (streaming)
   cdrom_0	CDROM drive

   If the device you want to use does not appear in the list, you should check with your administrator to make sure you are properly authorized. It may also be that the device is in an error state or in use by somebody else.

3. Move the device from the Available Devices list to the Allocated Devices list.

   You can accomplish this by:

   • Double-clicking the device name in the Available Devices list

   • Selecting the device and clicking the Allocate (right-pointing) button

   This step starts the clean script. The clean script ensures that there is no data left over on the medium from other transactions.

   Note that the label of the current workspace will be applied to the device. Any data transferred to or from the device's medium must be dominated by this label.

4. Follow the instructions in the clean script dialog boxes to (1) load and make sure the medium has the correct label and (2) mount the device.

   At this point, the medium has been cleaned and the device has been mounted and is ready to be used. The device name now appears in the Allocated Devices list.

   ---

   Note -

   Until you close the command tool window, the Device Allocation Manager and its label builder windows are disabled. At this point, you will not be able to use the Device Allocation Manager in this workspace or any other.

   ---

5. Use the device to transfer data.

   At any point, if you switch to a workspace with a different User ID (by assuming a role) or label, you need to make a separate allocation of the device at the label for that workspace. When you use the Occupy Workspace command from the window menu to move the Device Allocation Manager to the new workspace, the Available and Allocated Devices lists change to reflect the correct context.

6. Deallocate the device when you are finished.

   For the sake of security, you should always deallocate a device when you are finished using it. You can accomplish this by:

   • Double-clicking the device name in the Allocated Devices list

   • Selecting the device and clicking the Deallocate (left-pointing) button

   Deallocating a device runs a clean script that advises unmounts the device and advises you when the media can be removed.

   If you reboot your system while devices are allocated, they become deallocated.

Query Window Label

Query Window Label changes the pointer to a question mark. As you move the pointer around the screen, the label for the region under the pointer is displayed in a small rectangular box at the center of the screen (see below). When you click the mouse button, you return to normal mode. This operation is mainly useful if your system is not configured to display labels in the window frames.

Figure 4-12 Query Window Label Operation

Shut Down (for authorized users only)

Shut Down lets you shut down your machine (if you are authorized). This is not the normal way of ending a Trusted Solaris session; the normal logout method is clicking the Exit icon in the switch area of the Front Panel. When you select Shut Down, you are first queried for confirmation and then permitted to shut down the workstation. If you need to turn off your machine, you should use the Shut Down command and then turn off your power.

---

Note -

If you do shut down your machine, rebooting it may require further authorization and extra passwords depending on your site's security policy.

---

Help

Help provides online help information including various topics on elements in the Trusted Solaris environment including a glossary. Individual tools provide specific help directly through Help buttons and menus.

Other Trusted Solaris Environment Features

This section describes features in the Trusted Solaris environment not covered in the other sections of this chapter.

Lock

Clicking the Lock icon locks your screen so that no one else can use your workstation. To unlock your workstation, you need to supply your password. See "To Lock and Unlock Your Screen" for a description of this procedure.

Exit

Clicking the Exit icon displays the Exit Session dialog box for exiting the session. See "To Log Out of the Trusted Solaris Environment" for a description of this procedure.

Occupy Workspace Commands

The Occupy Workspace... and Occupy All Workspaces commands have additional security implications in the Trusted Solaris environment. They enable you to occupy a workspace with a window at a different label, which may be convenient for viewing data. The ability to move data from a window at one label to a window at another label must be granted by the security administrator.

Note that the Occupy Workspace commands do not let you occupy administrative role workspaces with windows from a normal user workspace.