test

Trusted Solaris User's Guide

Glossary

ACL

See access control list.

access control list

Also referred to as ACL, a software mechanism for discretionary access control that uses a list of permission specifications (referred to as ACL entries) to be applied to specific users and groups. The advantage of an ACL is that it allows finer-grained control than provided by the standard UNIX permissions.

access permission

The right of a user to read, write, execute, or view the name of a file or directory. See also discretionary access control and mandatory access control.

account label range

The set of labels assigned by the security administrator to a user or role account for working in the Trusted Solaris environment. It is defined at the upper end by the user clearance , at the lower end by the user's minimum label, and is limited to well-formed labels.

accreditation range

A set of labels that are approved for a class of users or resources. See also system accreditation range, user accreditation range , label encodings file, and network accreditation range.

action

An application that can be accessed from the CDE (Common Desktop Environment) graphical user interface. An action is represented by an icon and consists of one or more commands and optional user prompts. In the Trusted Solaris environment, an action is only available to a user if the security administrator has included it in an execution profile assigned to the user's account. Similarly certain functions of the action may be available only if the security administrator has assigned the appropriate authorizations and privileges in that execution profile.

administrative labels

Two special labels intended for administrative files only: ADMIN_LOW and ADMIN_HIGH. ADMIN_LOW is the lowest label in the system with no compartments; it is strictly dominated by all labels in the system. Information at ADMIN_LOW can be read by all but can only be written by a user in a role working at the ADMIN_LOW label. ADMIN_HIGH is the highest label in the system with all compartments; it strictly dominates all labels in the system. Information at ADMIN_HIGH can only be read by users in roles operating at ADMIN_HIGH. These labels can be used as labelsor clearances. See also dominating label.

adorned name

The complete name (including the strings .MLD. or .SLD.) for a single-level directory or multilevel directory. A single-level directory contains files at a single label and uses the name .SLD.n where .SLD. is the adornment string and n is an identifying number. A multilevel directory contains single-level directories; it uses the adornment .MLD. as a prefix to the name you specify. An example of a single-level directory within a multilevel directory would be /.MLD.myHomeDir/.SLD.0.

allocatable device

A device with controlled access, capable of importing or exporting data from the system. Devices are allocatable to a single user at a time. The security administrator determines which users may access which allocatable devices. Allocatable devices include tape drives, floppy drives, audio devices, and CD-ROM devices. (See device allocation.)

allowed privilege

A privilege in the set of privileges specified by the security administrator to be potentially available for an application. If a privilege is not in an application's allowable set, it will never be available to users executing that application. Allowed privileges are assigned to the application's executable file using the File Manager.

audit ID

The UID representing the actual user, as opposed to a role, used to identify the user for auditing purposes. The audit ID always represents the user for auditing even when the user assumes roles or acquires effective UIDs/GIDs. Also referred to as AUID. See also user ID.

auditing

The process of capturing user activity and other events on the system, storing this information in a set of files called an audit trail, and producing system activity reports to fulfill site security policy.

audit trail

See auditing.

authorization

Permission granted to a user to perform an action that would be otherwise prohibited by security policy. The security administrator assigns authorizations to execution profiles which in turn are assigned to user or role accounts. Some commands and actions will not function fully unless the user has the necessary authorizations. See also privilege.

CDE action

See action.

classification

A component of a clearance or a label that indicates a hierarchical level of security, for example, TOP SECRET or UNCLASSIFIED.

clearance

A label defining the upper boundary of a label range. There are two components to a clearance: a classification and zero or more compartments. A clearance need not be a well-formed label; it defines a theoretical boundary, not necessarily an actual label. See also user clearance , session clearance, and label encodings file.

CMW label

A label indicating the security level of a file or window in those Trusted Solaris environments configured to display information labels and sensitivity labels. It is composed of an information label (information labels are no longer supported in the Trusted Solaris environment) and a label shown in brackets. CMW labels appear in a stripe at the top of open windows and in a stripe under minimized windows. See also label encodings file.

Common Desktop Environment

Also referred to as CDE, the graphical environment on which standard Solaris and Trusted Solaris are based. It includes the login manager, the session manager, the window manager, and various desktop tools.

compartment

A nonhierarchical component of a label used with the classification component to form a clearance or alabel. A compartment represents a group of users with a potential need to access this information, such as an engineering department or a multidisciplinary project team.

compartmented mode workstation

Also referred to as CMW, a computing system that fulfills the government requirements for a trusted workstation stated in Security Requirements for System High and Compartmented Mode Workstations, DIA document number DDS-2600-5502-87. Specifically, it defines a trusted, X-window system-based operating environment for UNIX workstations.

covert channel

Communication channel that is not normally intended for data communication and that allows a process to transfer information indirectly in a manner that violates the intent of the security policy.

DAC

See discretionary access control.

deallocated device

Device no longer assigned (allocated) to a user. See also device allocation.

device

See allocatable device .

device allocation

A mechanism for protecting the information on an allocatable device from access by anybody except the user who allocates the device. When the device is deallocated, device clean scripts are run to clean information from the device before the device may be accessed again by another user.

discretionary access control

Also referred to as DAC, an access control mechanism that allows the owner of a file or directory to grant or deny access to other users. The owner assigns read, write, and execute permissions to the owner, the user group to which the owner belongs, and a category called other, which refers to all other unspecified users. The owner can also specify an access control list, which lets the owner assign permissions specifically to additional users and groups. Contrast with mandatory access control.

disjoint label

See dominating label.

dominating label

In a comparison of two labels, the label whose classification component is higher than or equal to the second label's classification and whose compartment components include all of the second label's compartment components. If the components are the same, the labels are said to dominate each other and are equal. If one label dominates the other and the labels are not equal, it is said to strictly dominate the other. Two labels are disjoint if they are not equal and neither label is dominant.

downgraded label

A label of an object that has been changed to a value that does not dominate the previous value of the label.

effective privilege

A privilege available for use by a process and currently enabled.

effective UIDs/GIDs

A user ID that overrides a user's real user ID when necessary to run a particular program or an option of a program. The security administrator assigns an effective UID to a command or action in an execution profile when that command or action must be run by a specific user, most often when the command must be run as root. Effective group IDs are used in the same fashion. Note that using setuid as in conventional UNIX systems does not work due to the need for privileges.

evaluatable configuration

A computer system that meets a set standard of government security requirements. See also extended configuration.

execution profile

A mechanism that allows a site's security administrator to bundle authorizations, commands, CDE actions, and any inheritable privileges, label ranges, and effective UIDs/GIDs necessary for the commands and actions. An execution profile generally contains related tasks. It can be assigned to users and roles.

extended configuration

A computer system that is no longer an evaluatable configuration due to modifications that have broken security policy.

fallback mechanism

A shortcut method for specifying IP addresses in the tnrhtp(4) file. The fallback mechanism recognizes 0 as a wildcard in the rightmost byte(s) of the IP addresses.

forced privilege

A privilege in a set of privileges specified by the security administrator to be enabled unconditionally when the application is executed by any user with access to an execution profile containing that application. If the privilege is not in the application's allowed privilege set for the execution profile, it will not be available in the forced privilege set. Forced privileges are assigned to the application's executable file using the File Manager.

gateway

A Trusted Solaris host having more than one network interface and used to connect two or more networks.

group ID

Also referred to as GID, an integer used to identify a group of users that have common access permissions. Group ID is a security attribute in the Trusted Solaris environment. See also discretionary access control.

host

A computer attached to a network.

host template

A record in the tnrhtp(4) file used to define the security attributes of a class of hosts that are permitted access to the network.

host type

A classification of a host used in network communications and stored in the tnrhtp(4) database. The host type determines which network protocol is used to communicate with other hosts on the network. Network protocol refers to the rules for packaging communication information.

information system security officer

Also referred to as ISSO, an alternate term for security administrator, no longer used in the Trusted Solaris system.

inheritable privilege

A privilege that is granted to a process when the application is run by a user permitted to use the execution profile containing the application. An inheritable privilege can be passed on to child processes created by the application. The security administrator assigns inheritable privileges to commands or actions in an execution profile using the Profile Manager. See also allowed privilege and forced privilege.

install

The name of a special user with root capabilities responsible for configuring the Trusted Solaris system.

label

Also referred to as a sensitivity label or SL, a string indicating the security level of an entity (file, directory, process, device, or network interface) used to determine whether access should be permitted in a particular transaction. There are two components to a label: a classification indicating the hierarchical level of security, and zero or more compartments for defining who has a need to access the entity given a sufficiently high classification. See also label encodings file.

label encodings file

A file managed by the security administrator that contains the definitions for all valid clearances and labels as well as defining the system accreditation range, user accreditation range , and labeling of hardcopy reports for the site.

label range

Any set of labels bounded on the upper end by a clearance or maximum label, on the lower end by a minimum label, and consisting of well-formed labels. Label ranges are used to enforce mandatory access control. See also label encodings file, account label range, accreditation range, network accreditation range, session range, system accreditation range, and user accreditation range .

label view

A security feature that displays the administrative labels or substitutes unclassified placeholders for the administrative labels. For example, if it is against security policy to expose the labels ADMIN_HIGH and ADMIN_LOW, the labels REGISTERED and PUBLIC may be substituted.

labeled workspace

The Trusted Solaris version of CDE workspaces, which confines the activity in a workspace to a label. There are two exceptions. (1) Authorized users can move a window at a different label into the workspace using the Occupy Workspace or Occupy All Workspaces command. (2) Certain applications, such as the Mail Tool, permit operation at multiple labels from a labeled workspace.

least privilege

See principle of least privilege.

MAC

See mandatory access control.

mandatory access control

Also referred to as MAC, a system-enforced access control mechanism that uses clearances and labels to enforce security policy. MAC associates the programs a user runs with the security level (clearance or label) at which the user chooses to work in the session and permits access to information, programs, and devices at the same or lower level only. MAC also prevents users from writing to files at lower levels. MAC cannot be overridden without special authorizations or privileges. Contrast with discretionary access control.

minimum label

A label assigned to a user as the lower bound of the set of labels at which that user may work. The minimum label is the user's initial label by default when the user first begins a Trusted Solaris session. The user can optionally reset the value for the initial label if desired by changing the home session.

Also, the lowest label permitted to any non-administrative user. It is assigned by the security administrator and it defines the bottom of the user accreditation range .

MLD

See multilevel directory.

multilevel directory

Also referred to as MLD, a special type of directory that transparently stores information by label in separate subdirectories called single-level directories. When users access multilevel directories through the command line or use the File Manager, they see information at their current label only. Note; if permitted by the security policy, a user may access information at other labels by explicitly specifying the adorned names of directories in the path. See also single-level directory.

network accreditation range

The set of labels within which Trusted Solaris hosts are permitted to communicate on a network.

normal user

A user who holds no special authorizations that allow exceptions from the standard security policies of the system; not an assumer of an administrative role.

object

A passive entity that contains or receives data, such as a data file, directory, printer, or other device, and is acted upon by subjects. In some cases, a process may be an object, such as when you send a signal to a process.

permissions

A set of codes that indicate which users are allowed to read, write, or execute the file or directory (folder). Users are classified as owner, group (the owner's group), and other (everyone else). Read permission (indicated by r) lets the user read the contents of a file or, if a directory, list the files in the folder. Write permission (w) lets the user make changes to a file or, if a folder, add or delete files. Execute permission (e) lets the user run the file if it is executable or, if a directory, read or search its files. Also referred to as UNIX permissions or permission bits.

principle of least privilege

The security principle that restricts users to only those functions necessary to perform their jobs. It is applied in Trusted Solaris systems by making privileges available to programs on an as-needed basis and enabling the privileges on an as-needed basis for specific purposes only.

privilege

A permission granted to a program by the security administrator to override some aspect of security policy. To be usable by the program, the privilege must be (1) in the allowed privilege set assigned to the program's executable file and (2) either in the forced privilege set assigned to the executable file or in the process's inheritable privilege set. The term effective privilege refers to privileges that are currently enabled. See also authorization and privilege set.

privilege bracketing

The coding technique of enabling a privilege only while it is needed for a specific function. This is in keeping with the principle of least privilege.

privilege set

A group of allowed privileges, forced privileges, inheritable privileges, effective privileges, or saved privileges. Privilege set is a useful term for describing how privileges are assigned and made available to programs. Allowed and forced privileges are assigned by the security administrator to executable files through the File Manager. Inheritable privileges are assigned by the security administrator to commands and actions in execution profiles through the Profile Manager. Effective and saved privileges are mainly of use to developers and are determined by the system.

privileged process

A process that has privileges available to it.

process

A running program. In the Trusted Solaris environment, processes have security attributes, such as user ID, group ID, the user's audit ID, privileges, the process clearance, the label of the current workspace.

process clearance

A clearance equal to the session clearance that sets a boundary on the highest label at which the process can write information.

profile

See execution profile.

profile shell

A version of the Bourne shell that lets a user run a command with the privileges, label ranges, and effective UIDs/GIDs assigned to the command in the execution profile.

public object

A file that contains read-only information, is not modifiable by normal users, and has no implications on security, such as the system clock. There is little need to perform auditing on public objects.

reading down

The ability of a subject to view an object whose label it dominates. Security policy generally allows reading down. For example, a text editor program running at Secret can read Confidential data. See also mandatory access control and reading up.

reading up

The ability of a subject to view an object at a label that dominates the subject's label. Due to mandatory access control, reading up is generally prohibited unless the subject has the appropriate privilege. For example, a text editor program running at Confidential cannot normally read Secret data. See also reading down.

role

A special user account that gives the user assuming the role access to certain applications with the authorizations, privileges, and effective UIDs/GIDs necessary for performing the specific tasks.

root

In the Trusted Solaris environment, the role assigned to the user or users responsible for installing commercial software. The Trusted Solaris version of root does not have the all-powerful capabilities of root in standard UNIX systems.

saved privilege

(This is mainly of use to developers.) A privilege set inherited by a process when its parent process performs an execve(2). The saved privileges become invalid if the process changes its effective user ID but are re-enabled on a return to the prior user ID.

security administrator

In the Trusted Solaris environment, the role assigned to the user or users responsible for defining and enforcing the site security policy. The security administrator can work at any label in the system accreditation range and potentially has access to all information at the site. The security administrator configures the security attributes for all users and equipment. See also label encodings file.

security attribute

A property of an entity (file, directory, process, device, or network interface) in the Trusted Solaris environment related to security. Security attributes include identification values such as user ID and group ID, different types of clearances, and all types of labels and label ranges. Note that only certain security attributes apply to a particular type of entity.

security policy

In the Trusted Solaris environment, the set of DAC, MAC, and label rules that define how information may be accessed and by whom. At a customer site, the set of rules that defines the sensitivity of the information being processed at that site and the measures that are used to protect the information from unauthorized access.

sensitivity label

See label.

session

The time between logging into and out from a Trusted Solaris host. The trusted stripe appears in all Trusted Solaris sessions to confirm that users are not being spoofed by a counterfeit environment.

session clearance

A clearance set at login that defines the upper boundary of labels for a Trusted Solaris session. If the user is permitted to set the session clearance, the user can specify any value within the user's account label range. If the user's account is configured for forced single-level sessions, the session clearance is set to the default value specified by the security administrator. See also clearance.

session range

The set of labels available to a user during a Trusted Solaris session. It is bounded at the upper boundary by the user's session clearance and at the lower end by the minimum label.

single-label configuration

A user account that has been configured for operation at a single label only.

single-level directory

Also referred to as SLD, a subdirectory within a multilevel directory containing files and optionally subdirectories at a single label only. Single-level directory names are created by the Trusted Solaris operating system; it uses the .SLD. prefix followed by a number indicating the sequence in which they were created. When a user changes to a multilevel directory, the user actually goes to the single-level directory matching the user's current label. See also adorned name.

SLD

See single-level directory.

spoof

To counterfeit a software program in order to get access or information on a system illegally.

strict dominance

See dominating label.

subject

An active entity in the Trusted Solaris environment, usually a process running on behalf of a user or role, that causes information to flow among objects or changes the system state.

system accreditation range

The set of all valid labels for a site including the administrative labels available to the site's security administrators and system administrators. The system accreditation range is defined in the label encodings file.

system administrator

In the Trusted Solaris environment, the role assigned to the user or users responsible for performing standard system management tasks such as setting up the non-security-relevant portions of user accounts. See also security administrator.

system operator

In the Trusted Solaris environment, the role assigned to the user or users responsible for backing up systems.

trusted application

An application that has been granted one or more privileges.

trusted computing base

Also referred to as TCB, the part of the Trusted Solaris environment that affects security; it includes software, hardware, firmware, documentation, and administrative procedures. Utility programs and application programs that can access security-related files are all part of the trusted computing base.

trusted facilities management

All activities associated with system administration in a conventional UNIX environment, plus all of the administrative activities necessary to maintain the security of a distributed system and the data it contains.

trusted path

Refers to the mechanism for accessing actions and commands permitted to interact with the trusted computing base. See also trusted path menu, trusted path symbol, and trusted stripe.

trusted path menu

A menu of Trusted Solaris operations that is displayed by holding down the right mouse button over the switch area of the front panel at the bottom of the screen. The menu selections fall into three categories: workspace-oriented selections, role assumption selections, and security-related tasks.

trusted path symbol

The symbol (the letters TP) that appears at the left of the trusted stripe area. It is displayed whenever the user accesses any portion of the trusted computing base.

trusted stripe

A rectangular graphic in a reserved area at the bottom of the screen that appears in all Trusted Solaris sessions. Its purpose is to confirm valid Trusted Solaris sessions. Depending on a site's configuration, the trusted stripe has one or two components: (1) a mandatory trusted path symbol to indicate interaction with the trusted computing base and (2) an optional label to indicate the label of the current window or workspace.

upgraded label

A label of an object that has been changed to a value that dominates the previous value of the label.

upgraded name

The name of a file or directory whose label has been upgraded and thus dominates the label of the directory that contains it. The security administrator can configure a system so that upgraded names are displayed or hidden from users by default.

user accreditation range

The largest set of labels that the security administrator can potentially assign to a user at a specific site. The user accreditation range excludes the administrative labels and any label combinations available to administrators only. It is defined in the label encodings file.

user clearance

A clearance assigned by the security administrator that defines the upper boundary of a user's account label range; it determines the highest label at which the user is permitted to work in a Trusted Solaris environment. See also clearance and session clearance.

user ID

Also referred to as UID, an integer used to identify a user for the purposes of discretionary access control, mandatory access control, and auditing. User ID is a security attribute in the Trusted Solaris environment. See also access permissions.

well-formed label

A label that is permitted by all applicable rules in the label encodings file to be included in a range.

workspace

See labeled workspace.

writing down

The ability of a a subject to write to an object whose label is strictly dominated by the subject's label. Due to mandatory access control, writing down is not permitted without the appropriate privilege. For example, a text editor program running at Secret cannot write Confidential data without the right privilege. Note that writing between subjects and objects at equal labels is permitted and is the norm. See also mandatory access control and writing up.

writing up

The ability of a a subject to write to an object whose label dominates (or is equal to) the subject's label. For example, a text editor program running at Confidential can write Secret data (if its session clearance is at SECRET or higher). See also mandatory access control and writing down.