This chapter gives the information needed to understand which labels are printed at the top and bottom of printer output and which labels and text are printed on banner and trailer pages. This chapter also describes how the Security Administrator role can make changes to the default.
This chapter includes these topics:
This chapter also describes these procedures:
By default, each print job's label is printed at the top and bottom of every body page.
Figure 3-1 shows a label (in this case, PUBLIC) printed at the top and bottom of a print job's body page.
The Security Administrator role can change the defaults so that another label or no label is printed instead of the default labe. (See "Labels, Text, and Handling Caveats on Banner and Trailer Pages".)
By default, both a banner and a trailer page are automatically created for each print job. The banner/trailer pages contain label-related text and guidelines for protecting printer output.
The fields and the text that are printed on the banner page are shown in Figure 3-2. The callouts show the names of the labels and the strings that appear by default.
All the text and the labels and text on banner/trailer pages are configurable.
The differences on the trailer page are shown in Figure 3-3. A thick black line is used as a frame on the trailer page, instead of the thicker gray frame on the banner page, and the page type identifier changes from JOB START to JOB END.
The parts of banner/trailer pages that the Security Administrator role can configure are described in the following sections:
In addition, the Security Administrator role can make the following changes in a print configuration file called tsol_separator.ps in /usr/lib/lp/postscript:
Localize (translate) the text on the banner and trailer pages
Specify alternates to default labels printed at the top and bottom of body pages
Change or omit any of the text or labels
For how to do customizations, see the comments in the tsol_separator.ps file in the /usr/lib/lp/postscript directory. See also "Managing Printing" in Trusted Solaris Administrator's Procedures.
The protect as classification is printed:
On the top and bottom of banner and trailer pages and
In the middle of the protect as statement (along with compartments from the job's label)
In the following figure, the protect as classification NEED_TO_KNOW is printed at the top of the banner page.
The protect as statement reads:
This output must be protected as: |
NEED_TO_KNOW HR |
unless manually reviewed and downgraded |
Example 3-1 shows the minimum protect as classification defined in the ACCREDITATION RANGE section of the label_encodings.simple file.
minimum protect as classification= NEED_TO_KNOW; |
In most cases the Security Administrator role specifies the minimum protect as classification equal to the site's lowest defined classification. Specify a minimum protect as classification higher than the lowest classification only if you need to protect all printer output at the specified minimum classification or above (whether or not the label has a lower classification).
Figure 3-5 shows an example in which the label on the user's print tool is INTERNAL_USE_ONLY, and the minimum protect as classification is NEED_TO_KNOW. The NEED_TO_KNOW classification is printed in this case because the minimum protect as classification dominates the classification.
For another example, a site with INTERNAL_USE_ONLY as the minimum protect as classification has the three classifications with the values shown in the first two columns of the following table. The third column shows the protect as classification printed on the banner/trailer pages for the print job when the classification on the left is in the job's label.
Table 3-1 Example: Minimum Protect As Classification`s Effects on the Protect As Classification
Classification |
Value |
Protect As Classification Printed on Banner/Trailer Pages for Print Job |
---|---|---|
PUBLIC |
1 |
INTERNAL_USE_ONLY |
INTERNAL_USE_ONLY |
2 |
INTERNAL_USE_ONLY |
NEED_TO_KNOW |
3 |
NEED_TO_KNOW |
As shown in the table above, any print job whose label includes either the PUBLIC or the INTERNAL_USE_ONLY classification would have INTERNAL_USE_ONLY printed in the Protect as statement and at the top and bottom of banner/trailer pages, and any print jobs whose label includes the NEED_TO_KNOW classification would have NEED_TO_KNOW printed in the same locations.
Based on your site's security policy, decide whether to set a minimum protect as classification higher than the classification with the lowest value.
Compartments from the print job's label are printed in the protect as field along with the print job's protect as classification. In the following example, the compartment HR from the label is printed as an access-related word along with the protect as classification because all compartments are treated as access-related.
The printer banners field is the first line (or lines) that can appear in the handling caveats in the lower third of the banner and trailer pages.
At commercial sites, the Security Administrator role can associate any text in the PRINTER BANNERS section with any compartment bit, as long as the compartment bit is also assigned to a word in the SENSITIVITY LABELS section of the label_encodings file. In the following example, the printer banner is the line that reads COMPANY PROPRIETARY/CONFIDENTIAL: NTK HUMAN RESOURCES.
By convention in government installations, the printer banner line displays any caveats that are associated with the subcompartments of the job's sensitivity label. The following example shows a typical PRINTER BANNER at a government installation. Any string could be specified instead of the string shown here: (FULL SA NAME).
Following are the encodings for the printer banner line (FULL SA NAME) in Figure 3-7.
First, the word (FULL SA NAME) is associated in the PRINTER BANNERS section of the label_encodings with compartment bit 2.
PRINTER BANNERS: WORDS: . . . name= (FULL SA NAME); compartments= 2; |
Example 3-3 shows the SENSITIVITY LABELS definitions for the same compartments and markings used in the PRINTER BANNER definitions in Figure 3-7. In the example, compartment bit 2 is associated with the subcompartment word SA.
The printer banner string displays as (FULL SA NAME) because:
The label contains the subcompartment word SA.
Compartment bit 2 is associated with the subcompartment word SA.
Compartment bit 2 is associated with the string (FULL SA NAME) in the PRINTER BANNERS encodings.
SENSITIVITY LABELS: WORDS: . . . name= SB; minclass= TS; compartments= 3-5; name= SA; minclass= TS; compartments= 2; |
Following is a planning table for PRINTER BANNERS.
Table 3-2 PRINTER BANNERS Planner
When this/these subcompartment/compartment bit(s) are in the print job's label |
Print this Prefix |
Print this Word |
Print this Suffix |
---|---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The CHANNELS section in the label_encodings file defines the line (or lines) that can appear below the PRINTER BANNER line(s) on the lower third of the banner and trailer pages. The CHANNELS section can be specified to print a string whenever the label of a print job contains a certain compartment.
In the example in Figure 3-8, the channels are the lines that read DISTRIBUTE ONLY TO HUMAN RESOURCES EMPLOYEES (NON-DISCLOSURE AGREEMENT REQUIRED). At commercial sites, it is possible to specify any text you want to appear in the CHANNELS section with any compartment bit you choose.
In government installations, the channels line(s) of the banner page conventionally are specified to display any caveats that are associated with the compartments of the job's label. Figure 3-9 shows a typical CHANNELS warning on a print job's banner page at a government installation: HANDLE VIA (CH B)/(CH A) CHANNELS JOINTLY.
The following discussion explains and illustrates how the CHANNELS string HANDLE VIA (CH B)/(CH A) CHANNELS JOINTLY is specified for a job whose label includes the compartment words A and B. For the purpose of the example, only (CH A) and (CH B) apply. However, since the compartment bit for a third channel (CH C) is included in their definitions, (CH C) is also mentioned in this discussion.
The example illustrates the following:
Two compartment bits are associated individually with one set of words and together with another set of words
A third compartment bit is included with the encodings for the first two bits
One suffix is defined for whenever any combination of one or more channel words is in the label
Another suffix is defined for when a single channel word is in the label
A third suffix is defined for when more than one channel word is in the print job's label
As shown in the following example, two suffixes CHANNELS JOINTLY and CHANNELS ONLY and a prefix HANDLE VIA are defined.
CHANNELS: WORDS: name= CHANNELS JOINTLY; suffix; name= CHANNELS ONLY; suffix; name= HANDLE VIA; prefix; |
Following the prefixes and suffixes definitions in Example 3-4, the channel names (CH A), (CH B), and (CH C) are specified in two different ways to achieve the following results:
Whenever any one of the three compartment bits associated with channels is in the label, the HANDLE VIA: prefix is printed.
When only one of the three compartment bits associated with channels is in the label, the CHANNELS ONLY suffix is printed after the channel name (CH A), (CH B), or (CH C).
When more than one compartment bit associated with channels is in the label, the prefix is followed by the channel names separated by a slash (/), which are then followed by the CHANNELS JOINTLY suffix.
The first three lines that define CHANNELS words in Example 3-4 are repeated in Example 3-5 to focus on how (CH A), (CH B), and (CH C) are encoded to appear with the CHANNELS ONLY suffix:
(CH A) is encoded with bit 0 on and bits 1 and 6 explicitly set to off using the tilde (~): 0 ~1 ~6
(CH B) is encoded with bit 1 on and bits 0 and 6 explicitly set to off using the tilde (~): ~0 1 ~6
(CH C) is encoded with bit 6 on and bits 0 and 1 explicitly set to off using the tilde (~): ~0 ~1 6)
CHANNELS: WORDS: name= CHANNELS JOINTLY; suffix; name= CHANNELS ONLY; suffix; name= HANDLE VIA; prefix; name= (CH A); prefix= HANDLE VIA; suffix= CHANNELS ONLY; compartments= 0 ~1 ~6; name= (CH B); prefix= HANDLE VIA; suffix= CHANNELS ONLY; compartments= ~0 1 ~6; name= (CH C); prefix= HANDLE VIA; suffix= CHANNELS ONLY; compartments= ~0 ~1 6; |
The first three lines of channel name definitions in the CHANNELS section shown in Example 3-5 have the following results:
The HANDLE VIA prefix and the CHANNELS ONLY suffix are printed when one of the words associated with bits 0, 1, and 6 elsewhere in the label_encodings is in the job's label
The HANDLE VIA prefix and CHANNELS ONLY suffix are printed:
With (CH A) when compartment bit 0 is turned on in the label and compartment bits 1 and 6 are off
With (CH B) when compartment bit 1 is turned on in the label and compartment bits 0 and 6 are off
With (CH C) when compartment bit 6 is turned on in the label and compartment bits 0 and 1 are off
The last three lines that define CHANNELS WORDS in Example 3-5 are repeated in Example 3-6 to show how (CH A), (CH B), and (CH C) are encoded to appear with the CHANNELS JOINTLY suffix when more than one of the words associated with bits 0, 1, and 6 is in the job's label. A slash is inserted between the channels names when more than one of the bits defined in the channels section is in the job's label.
name= (CH A); prefix= HANDLE VIA; suffix= CHANNELS ONLY; compartments= 0 ~1 ~6; name= (CH B); prefix= HANDLE VIA; suffix= CHANNELS ONLY; compartments= ~0 1 ~6; name= (CH C); prefix= HANDLE VIA; suffix= CHANNELS ONLY; compartments= ~0 ~1 6; |
The CHANNELS specification illustrates the importance of order when compartments are being encoded. The first three lines shown in Example 3-6 have already taken care of the cases when only one of the channels compartment bits is turned on, so the last three lines can take care of cases when more than one bit is turned. Therefore, none of the last three lines need to have any compartment bits explicitly set to 0. Because any cases where any of the channels words appears in the job's label by itself have already been taken care of, the result of these last three lines is that the suffix CHANNELS JOINTLY is always printed when any of two or more of the three compartment words associated with the channels is in the label:
(CH C) is printed with CHANNELS JOINTLY when bit 6 is turned on and either of bit 0 or 1 or both are also turned on
(CH B) is printed with CHANNELS JOINTLY when bit 1 is turned on either of bit 0 or 6 or both are also turned on and
(CH A) is printed with CHANNELS JOINTLY when compartment 0 is turned on and either of bit 6 or 1 or both are also turned on
Example 3-7 shows the labels with compartment bit 6. The figure shows that compartment bit 6 is associated words associatedwith the label word CC.
SENSITIVITY LABELS: WORDS: . . . name= CC; minclass= TS; compartments= 6; |
Example 3-8 shows that compartment bit 1 is associated with the sensitivity labels word B.
SENSITIVITY LABELS: WORDS: . . . name= B; minclass= C; compartments= 1; |
Example 3-9 shows that compartment bit 0 is associated with sensitivity labels word A.
SENSITIVITY LABELS: WORDS: . . . name= A; minclass= C; compartments= 0; |
To sum up, the channels line prints as HANDLE VIA (CH B)/(CH A) CHANNELS JOINTLY because:
HANDLE VIA is defined to always appear with any of the defined CHANNELS words
The sensitivity label has two access-related words, A and B, that are associated with two compartment bits 0 and 1.
Because two of the bits defined for CHANNELS words appear in the job's label, the CHANNELS WORDS (CH A) and (CH B) are followed by CHANNELS JOINTLY.
Any words to come before the channel name are specified as prefixes and any words to come after the channel name are specified as suffixes.
The following table may be used to plan CHANNELS.
Table 3-3 CHANNELS Planner (for Prefixes, Channel Words, and Suffixes)
For Compartment Bit(s) |
Print This Prefix |
Print This Channel |
Print This Suffix |
---|---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
See "Specifying Printer Banners", if necessary, before you start. Plan what printer banners you want to associate with any of the words defined in the SENSITIVITY LABELS section of the label_encodings file, using Table 3-2.
Open the label_encodings file for editing as described in "To Modify the label_encodings (4) File" of Chapter 2, Creating or Modifying the Encodings File.
Find the PRINTER BANNERS section of the file.
PRINTER BANNERS: WORDS: |
Enter any prefixes or suffixes to associate with the WORDS in the printer banner line(s) of banner/trailer pages.
PRINTER BANNERS: WORDS: name= ORCON; prefix; |
Enter the names of words to associate with any already-defined compartments in sensitivity labels, and specify any defined prefixes or suffixes as desired.
name= (FULL SB NAME); compartments= 3 name= (FULL SA NAME); compartments= 2 |
See "Specifying CHANNELS", if necessary, before you start. Plan what channels line you want to associate with any of the words defined in the SENSITIVITY LABELS section of the label_encodings file, using Table 3-3.
Open the label_encodings file for editing as described in "To Modify the label_encodings (4) File" of Chapter 2, Creating or Modifying the Encodings File.
Find the CHANNELS section of the file.
CHANNELS: WORDS: |
Enter any prefixes or suffixes to associate with the WORDS in the CHANNELS line(s) of banner/trailer pages.
CHANNELS: WORDS: name= CHANNELS JOINTLY; suffix; name= CHANNELS ONLY; suffix; name= HANDLE VIA; prefix; |
Enter the names of words to associate with any already-defined compartments in sensitivity labels, and specify any defined prefixes or suffixes as desired.
name= (CH C); prefix= HANDLE VIA; suffix= CHANNELS JOINTLY; compartments= 6; name= (CH B); prefix= HANDLE VIA; suffix= CHANNELS JOINTLY; compartments= 1; name= (CH A); prefix= HANDLE VIA; suffix= CHANNELS JOINTLY; compartments= 0; |