Chapter 5 Example: Planning an Organization's Labels

This chapter models how to get started if you have not previously used labels. The following major sections show how one organization analyzed its labeling requirements and set up a fairly simple set of labels:

• "Identifying the Site's Label Requirements "

• " Analyzing the Requirements for Each Label"

• "Defining the Set of Labels"

• "Specifying the Labels During Post-Install Configuration"

This chapter models how to do the following:

• Identify a set of labels that meet your company's information-protection goals

• Define the components of labels and their relationships:

  • Classifications (words that specify which labels are more sensitive)

  • Compartments (words that associate a label or clearance with a project or group)

Identifying the Site's Label Requirements

Solar Systems, Inc. is a fictional name for the company whose label requirements are modeled in this example. To protect the corporation's intellectual property, the company's legal department mandates that employees use three labels on all sensitive email and printed materials. The three labels, from most-sensitive to least-sensitive are:

Solar Proprietary/Confidential: Registered

Solar Proprietary/Confidential: Need To Know

Solar Proprietary/Confidential: Internal Use Only

The legal department also approves the use of an optional fourth label for information that can be distributed to anyone without restrictions:

Public

Problems Encountered in Trying to Meet Information Protection Goals

At Solar Systems, Inc., the manager in charge of Information Protection makes use of all possible channels to get the word out about labeling requirements. Some employees either do not understand, forget about, or ignore the requirements. Even when labels are properly applied, the information is not always properly handled, stored, and distributed. For example, reports trickle back that even Registered information (which only a limited list of people should see and nobody but the originator should copy) is sometimes found unattended next to copy machines and printers, in break rooms, and lobbies.

• The legal department wants a better way to ensure that information is properly labeled without relying totally on employee compliance

• The system administrators wants a better way to control:

  • Who can see or modify sensitive information,

  • Which information is printed on which printers,

  • How printer output is handled, and

  • How information at various levels of is distributed internally and externally via email

How Trusted Solaris Features Address Information Labeling and Access Control Requirements

The Trusted Solaris operating system does not leave labeling up to computer users. All printer output from hosts running Trusted Solaris software is automatically labeled according to the site's requirements. The Solar Systems' executives decided to use the Trusted Solaris operating system when they realized that the product could both meet the requirements of the legal department and support the goals of the system administrators.

Even though security was not yet fully understood at the company, executives knew they could put the following features to use right away:

• Each print job is automatically assigned a label, which is the label that corresponds either to the level at which the user is working or to the user's level of responsibility.

  Figure 5-1 shows an employee working at a level of INTERNAL_USE_ONLY, which means that the work he is doing should only be accessible by Solar Systems employees and others who have signed nondisclosure agreements. When he sends email to the printer, the print job is automatically assigned the label INTERNAL_USE_ONLY.

Figure 5-1 Automatic Labeling of Print Jobs

• The printer automatically prints a company-specified label at the top and bottom of each page of printed output.

  In Figure 5-2, the letter that was sent to the printer in Figure 5-1 is printed with the user's working label, INTERNAL_USE_ONLY, at the top and bottom of every page.

Figure 5-2 Label Automatically Printed on Body Pages

• Banner and trailer pages are automatically created for each print job and are printed with company-specific handling guidelines.

  Figure 5-3 shows the wording for a print job whose sensitivity level has a classification of NEED_TO_KNOW and a department of HUMAN_RESOURCES.

Figure 5-3 Handling Guidelines on Banner and Trailer Pages

NEED_TO_KNOW HR

DISTRIBUTE ONLY TO HUMAN RESOURCES (NON-DISCLOSURE AGREEMENT REQUIRED)

Below the sensitivity label in the previous example, a handling caveat provides instructions about how the printed material should be distributed. The instructions are understood to mean that the information should be distributed only to human resources personnel with a need to know about it and that the reader must have signed a nondisclosure agreement.

• Printers can be configured to print only jobs with labels within a restricted label range.

  For example, the legal department's printer can be set up (as illustrated in Figure 5-4) to print only jobs sent at the following three labels:

  • NEED_TO_KNOW LEGAL (to be viewed only by those with a need to know within the legal department)

  • INTERNAL_USE_ONLY (to be viewed only by permanent employees of the Solar Systems company and other who have signed nondisclosure agreements), and

  • PUBLIC (to be viewed by anybody)

    A printer set up as specified above would exclude jobs sent at any other label. For example, the legal department printer set up as described above would reject jobs at:

  • NEED_TO_KNOW MARKETING, and

  • REGISTERED

Figure 5-4 How a Printer With a Restricted Label Range Handles Jobs at Various Labels

Printers in other locations that are accessible to all employees can be configured to print jobs only at the two labels that allow the output to be viewed by all employees:

• INTERNAL_USE_ONLY

• PUBLIC

A label is automatically assigned to each email message based on the sensitivity level at which the sender is working.

Figure 5-5 shows email being labeled at the sensitivity label of the user's mail application and sent to the mail application at that label.

Figure 5-5 Automatic Labeling of Email

Similar to how the printer label range controls which jobs can be printed on a particular printer, a user's personal sensitivity label range limits which email the person can receive and send (see Figure 5-6).

Figure 5-6 A User Receiving Email within His Account Label Range

• Gateways to the Internet can be set up to screen email so that email at inappropriate labels (any label except PUBLIC) cannot be sent outside of the company.

Climbing the Security Learning Curve

The management identifies an experienced administrator who:

• Is assessed to be trustworthy,

• Knows how to administer Solaris systems, and

• Understands the organization's information-processing goals well enough to be responsible for overseeing or implementing the site's security

That person is assigned the job of Security Administrator.

Long before installing Trusted Solaris software, the Security Administrator starts to learn about security and to prepare a plan for the site's security policy--starting with a plan for the site's labels as described in the immediately-following sections.

By reading the Trusted Solaris User's Guide and the Trusted Solaris Administration Overview, the Security Administrator becomes familiar with the distinctions between types of labels and how labels are compared when access control decisions are being made. Reading the Trusted Solaris Administrator's Procedures manual prepares the Security Administrator to assume the Security Administrator role for administering system security and assigning administrative responsibilities. The section called "Implement Trusted Solaris in Accordance with Site Security" in Trusted Solaris Installation and Configuration provides guidance on creating a site's security policy.

The Security Administrator also reads "More About Labels" in this manual to review concepts directly related to setting up security and encoding labels.

Analyzing the Requirements for Each Label

The Security Administrator agrees that the set of labels mandated by the legal department is a good start but realizes that the labels need to be analyzed further before they can be encoded.

PROPRIETARY/CONFIDENTIAL: INTERNAL_USE_ONLY

The PROPRIETARY/CONFIDENTIAL: INTERNAL_USE_ONLY label is for information that is proprietary to the company but which, because of its low level of sensitivity, may be distributed to all employees, all of whom have signed nondisclosure agreements before starting employment. Information with this label may also be distributed to others such as the employees of vendors and contractors, as long as each person who receives the information has also signed a nondisclosure agreement. Because the Internet may be snooped, information with this label may not be sent over the Internet, but it may be sent via email within the company.

PROPRIETARY/CONFIDENTIAL: NEED_TO_KNOW

The PROPRIETARY/CONFIDENTIAL: NEED_TO_KNOW label is intended for information that is proprietary to the company, has a higher level of sensitivity than INTERNAL_USE_ONLY, and has a more limited audience. Distribution is limited to employees who have a need to know the information and to others who have signed nondisclosure agreements who also have a need to know.

For example, if only the group of people working in a particular project should see certain information, then NEED_TO_KNOW should be used on that information. People who receive information with this label can copy it and pass it on to other people who also have a need to know and have signed a nondisclosure agreement. Whenever information should be restricted to a particular group, the name of the group should be specified on the printed or otherwise-copied version of the information.

Having the name of a group in this label makes it clear that the information should not be given to anyone outside of the group. Information with this label may not be sent over the Internet but it may be sent via email within the company.

PROPRIETARY/CONFIDENTIAL: REGISTERED

The PROPRIETARY/CONFIDENTIAL: REGISTERED classification is intended for information that is proprietary to the company, has a very high level of sensitivity, and could significantly harm the company if released to the wrong parties or if it was released at the wrong time. Registered information must be numbered and tracked by the owner. Each copy must be assigned to a specific person and returned to the owner for destruction after being read. Copies may be made only by the owner of the information. Use of brownish-red paper is recommended because this color cannot be copied.

This label is to be used when only one specific group of people should be allowed to see the proprietary information. This information cannot be shown to anyone who is not authorized by the owner, and it cannot be shown to employees of other companies who have not signed a nondisclosure agreement--even if the owner authorizes them to see it. Information with this label may not be sent via email.

Names of Group Associated with the Need to Know

The Security Administrator decided that the NEED_TO_KNOW label should contain the names of groups or departments. The Security Administrator asked for suggestions about what words to use to define groups or areas of interest within the organization, and came up with the following list.

Understanding the Set of Labels

The next step is to decide:

• How to encode the labels into the classifications and compartments that make up sensitivity labels and clearances,

• What kinds of handling instructions should appear on printed output.

  The Security Administrator used a large board and pieces of paper marked with the words that should be in the labels, as shown in Figure 5-7, to visualize the relationships and rearrange the pieces until they all fit together.

  The administrator came up with the following:

• The four labels are hierarchical with the label containing REGISTERED the highest and the PUBLIC label the lowest.

• Only one label needs to be associated with group names

  The list of those cleared to receive registered information is limited on a case by case basis, so REGISTERED does not need any group names. INTERNAL_USE_ONLY applies to all employees and those that have signed nondisclosure agreements, and PUBLIC labels are for everybody, so neither of these labels needs further qualification. The NEED_TO_KNOW label does need to be associated with non-hierarchical words, such as NEED_TO_KNOW MARKETING or NEED_TO_KNOW ENGINEERING. The words that identify the group or department can also be included in a user's clearance, as part of establishing that user's need to know.

• Each of the labels except PUBLIC require that the person accessing the information must have signed a nondisclosure agreement.

  A phrase such as NON-DISCLOSURE AGREEMENT REQUIRED would be a good reminder that this requirement exists.

• The handling instructions on banner and trailer pages should have clear wording on how to handle the information based on the classification and on any group name that may appear in the label.

  Along with information on the sensitivity of the printer output, handling instructions should remind the reader that a nondisclosure agreement is required for any output whose label requires it.

Figure 5-7 Example Planning Board for Label Relationships

Defining the Set of Labels

In this section the set of labels is defined in lists that include all of the following required aspects of labels:

• Classifications

• Other words

• Relations between and among the words

• Classification restrictions associated with use of each word

• Intended use of the words in mandatory access control (in sensitivity labels and clearances)

• Intended use of the words in labeling system output.

Planning the Classifications

Because the four labels are hierarchical, they will be encoded as hierarchical classifications.

With the legal department's approval, the Security Administrator shortened the labels by omitting Solar Systems Proprietary/Confidential: from the label names. Classifications do not allow the use of a slash in the label, and long classifications make it difficult for employees to read the labels in the window system. The name of a label is truncated from right to left in the window frames. Because the truncated names of all the label names above PUBLIC would begin with the words SOLAR SYSTEMS PROPRIETARY CONFIDENTIAL, the truncated names would be indistinguishable without manually extending the frame for each window.

The Security Administrator defined the following labels:

• REGISTERED

• NEED_TO_KNOW

• INTERNAL_USE_ONLY

• PUBLIC

Planning the Compartments

The group names will be encoded as non-hierarchical compartments. Compartments will be restricted to appear only in labels that have the NEED_TO_KNOW classification. Compartments are restricted to appear with certain classifications by settings in the ACCREDITATION RANGE section under COMBINATION CONSTRAINTS.

User clearances will control which users can create files and directories with labels that include a group name, and user clearances will also control whether some users will be able to create documents whose labels have more than one group along with the NEED_TO_KNOW classification.

Planning the Use of Words in MAC

The classifications and compartments in sensitivity labels and user clearances are used in mandatory access control. Therefore, the legal department's hierarchical labels and the group names need to be encoded as classifications and compartments so that they can be used in the labels that control which individual employees can access files and do other work.

In the following example, Solar Systems, Inc. defines a sensitivity label with the PUBLIC classification, which is assigned the lowest value in the User Accreditation Range, and another sensitivity label with the INTERNAL_USE_ONLY classification with the next highest value above PUBLIC.

An employee with no authorizations whose clearance is PUBLIC and whose minimum label is PUBLIC is able to use the system as follows:

• Works only in a PUBLIC workspace,

• Creates files only at PUBLIC,

• Reads email only at PUBLIC, and

• Uses printers only if they have PUBLIC in their label range

  In contrast, an employee with no authorizations whose clearance is INTERNAL_USE_ONLY is able to use the system as follows:

• Works in either a PUBLIC or an INTERNAL_USE_ONLY workspace

• Creates files at either PUBLIC or at INTERNAL_USE_ONLY (depending on what workspace the employee is currently in)

• Receives and sends email at either sensitivity label.

• Can print a file labeled PUBLIC on any printer with PUBLIC in its label range, and can send a file labeled INTERNAL_USE_ONLY to any printer with INTERNAL_USE_ONLY in its label range.

Planning the Use of Words in Labeling System Output

When the sensitivity label of a printer job contains a group name compartment, the mandatory printer banner and trailer pages will state:

Distribute Only To Group Name (Non-Disclosure Agreement Required)

Planning How to Label Printer Output Pages as Desired

The print without labels authorization allows a user or role to use the lp -o nolabels option to suppress the printing of top and bottom labels on body pages of a print job. The Security Administrator role can give the Print Without Labels authorization to everyone or to no one.

The Print PostScript File authorization allows a user to submit a PostScript file to the printer, which is normally not allowed because of the risk that a knowledgeable user can change the labels in the PostScript file.

To permit technical writers to produce master copies of documents without labels printed on them, the Security Administrator role gives the Print Without Labels and Print PostScript File authorizations to all the writers.

Planning for Supporting Procedures

Rules for Protecting a File or Directory Labeled with the REGISTERED Sensitivity Label

The Security Administrator realizes that anyone with a clearance that includes the word REGISTERED can access any registered information anywhere in the company unless certain additional precautions are taken. Therefore, those who have REGISTERED in their clearance must be instructed to use UNIX permissions, so that only the creator can look at or modify the file. See the following example.

Example 5-1 Using DAC to Protect Registered Information

trusted% getplabel 
R
trusted% mkdir registered.dir
trusted% chmod 700 registered.dir
trusted% cd registered.dir
trusted% touch registered.file
trusted% ls -l
-rwxrwxrwx registered.file
trusted% chmod 600 registered.file
trusted% ls -l
-rw------- registered.file

As shown in the example, the user who creates a file or directory while working at an sensitivity label of REGISTERED needs to set the file's permissions to be read and write for the owner only and to set the directory's permissions to be readable, writable, and searchable only by the owner. This ensures that another user who can work at REGISTERED cannot read the file.

Rules for Configuring Printers

Table 5-1 shows how printers in various locations accessible to various types of people need to be configured.

See "Managing Printing" in Trusted Solaris Administrator's Procedures manual.

Rules for Handling Printer Output

Those who have access to restricted printers will be instructed to:

• Protect information according to the instructions on the printer banner and trailer pages.

• Shred jobs that do not have both a banner and a trailer page and that do not have matching job numbers on the banner and trailer pages.

Planning Classification Values in a Worksheet

The worksheet in Table 5-2 shows names and hierarchical values defined for the four classifications. Because the value 0 is reserved for the administrative ADMIN_LOW label, the value of the PUBLIC classification is set to 1, and the values of the others are set higher in ascending sensitivity.

The names of groups in our labels are specified later, as WORDS in the SENSITIVITY LABELS, and CLEARANCES sections.

Planning Compartment Values and Classification/Compartment Constraints in a Worksheet

Table 5-3 defines the relationships between words and classifications that were arrived at by moving things around on the planning board in Figure 5-7. Because of how PUBLIC and INTERNAL_USE_ONLY are defined in the third column, these two classifications can never appear in a label with any compartment, while NEED_TO_KNOW can appear in a label with any or all of the compartments.

The Security Administrator uses Table 5-4 to keep track of which bits have been used for compartments and which for markings.

Planning Clearances in a Worksheet

The components of these labels are also assigned to users in clearances. The worksheet's Clearance Planner (shown in Table 5-5) defines the label components to be used in clearances.

Key to Table 5-5:

Planning the PRINTER BANNERS Wording in a Worksheet

The Solar Systems' legal department wants the following to appear on printer banner and trailer pages.

Solar Systems Proprietary/Confidential:

The PRINTER BANNERS can be used to associate a string with any compartment that appears in the sensitivity label of the print job. In this encodings, only the NEED_TO_KNOWclassification has compartments. Table 5-6 shows how the desired wording is specified as a prefix and assigned to each compartment. The abbreviation NTK is assigned to each channel so that the wording in the PRINTER BANNERS section will read:

Solar Systems Proprietary/Confidential: GROUP_NAME

Planning CHANNELS in a Worksheet

The Solar Systems' legal department wants the following handling instructions to appear on printer banner and trailer pages.

DISTRIBUTE ONLY TO GROUP_NAME EMPLOYEES (NON-DISCLOSURE AGREEMENT REQUIRED)

This goal is met by assigning in the CHANNELS section the same compartment bits that were assigned to group names earlier in this example. The Solar Systems company plans to use the same group names both in the compartments and in the channels.

The words that come before the channel name are specified as prefixes and the words that come after the channel name are specified as suffixes. The Security Administrator specifies prefixes and suffixes in the following worksheets.

Planning the Minimums in an ACCREDITATION RANGE Worksheet

The following minimums must be set:

• minimum sensitivity label

• minimum clearance,

• minimum protect as classification

Because the Solar Systems company wants employees to be able to use all the defined sensitivity labels and wants to be able to assign the PUBLIC clearance to some employees, the minimum sensitivity label and minimum clearance need to be set to PUBLIC.

The minimum protect as classification is printed on printer banner and trailer pages instead of the actual classification from the job's sensitivity label. The minimum protect as classification can be set higher than the actual minimum classification. However, the Solar Systems company requirements allow the minimum protect as classification to always be equal to the real classification of the print job's sensitivity label. The Security Administrator defines all of values for the minimum sensitivity label, minimum clearance and minimum protect as classification as PUBLIC as shown in the following table.

Planning the Colors in the COLOR NAMES Worksheet

The color assigned to a label displays in the background whenever the name of the label appears at the top of a window. The lettering is displayed in a color that complements the background. (The complementary color is computed by the window system.) In our example, the Security Administrator chooses to keep the colors already assigned to the administrative labels in the default label_encodings(4) file and assigns green to PUBLIC, yellow to INTERNAL_USE_ONLY, blue to labels that contain NEED_TO_KNOW (with different shades of blue assigned to each compartment), and red to REGISTERED, as shown in the following table.

Specifying the Labels During Post-Install Configuration

The install team makes a printed copy and an on-line copy of the installed label_encodings(4) file in case of problems with the new version of the file supplied by the Security Administrator role.

The Security Administrator role uses any text editor to create the label_encodings(4) file, and then uses the Check Encodings action to check the file. If the file passes Check Encodings, the action offers the option of installing the new version. When the Security Administrator role answers Yes, Check Encodings overwrites the current version of the label_encodings file. The Check Encodings action creates a backup version of the existing file (naming it label_encodings.orig), before overwriting it.

The encodings for Solar Systems, Inc. are shown in User Type font in the screen examples.

Encoding the VERSION

The following example shows the VERSION string modified with the name of company, a title, version number, and date.

Example 5-2 Modified VERSION Entry

VERSION= Solar Systems, Inc. Example Version - 2.2 00/04/18

Encoding the CLASSIFICATIONS

The following example shows the Solar Systems' classifications and values from Table 5-2, Table 5-3 and Table 5-4 added to the CLASSIFICATIONS section.

Example 5-3 Modified CLASSIFICATIONS Section

CLASSIFICATIONS:

name= PUBLIC; sname= PUBLIC; value= 1;
name= INTERNAL_USE_ONLY; sname= INTERNAL; aname= INTERNAL; value= 4;
name= NEED_TO_KNOW; sname= NEED_TO_KNOW; aname= NEED_TO_KNOW; value= 5;
name= REGISTERED; sname= REGISTERED; aname= REGISTERED; value= 6;

A classification cannot contain the slash (/) , or comma (,) characters. The classifications are specified from the lowest value to the highest.

Encoding the SENSITIVITY LABELS

The compartments in the Table 5-3 are encoded in the SENSITIVITY LABELS: WORDS: example shown below.

This example does not have any required combinations or combination constraints.

Example 5-4 Modified WORDS in the SENSITIVITY LABELS Section

SENSITIVITY LABELS:

WORDS:

name= ALL_DEPARTMENTS; sname= ALL; compartments= 11-20;
minclass= NEED_TO_KNOW;
name= EXECUTIVE_MGMNT_GROUP; sname= EMG; compartments= 11;
minclass= NEED_TO_KNOW;
name= SALES; sname= SALES; compartments= 12;
minclass= NEED_TO_KNOW;
name= FINANCE; sname= FINANCE; compartments= 13;
minclass= NEED_TO_KNOW;
name= LEGAL; sname= LEGAL; compartments= 14;
minclass= NEED_TO_KNOW;
name= MARKETING; sname= MRKTG; compartments= 15 20; minclass= NEED_TO_KNOW;
name= HUMAN_RESOURCES; sname= HR; compartments= 16; minclass= NEED_TO_KNOW;
name= ENGINEERING; sname= ENG; compartments= 17 20; minclass= NEED_TO_KNOW;
name= MANUFACTURING; sname= MANUFACTURING; compartments= 18;
minclass= NEED_TO_KNOW;
name= SYSTEM_ADMINISTRATION; sname= SYSADM; compartments= 19;
minclass= NEED_TO_KNOW;
name= PROJECT_TEAM; sname= P_TEAM; compartments= 20; minclass= NEED_TO_KNOW;

REQUIRED COMBINATIONS:

COMBINATION CONSTRAINTS:

Encoding the INFORMATION LABELS

Even though information labels are not used, values must be supplied under the INFORMATION LABELS: WORDS: section for the file to pass the encodings check. The Security Administrator role copies the words from the SENSITIVITY LABELS: WORDS: section, as shown in the following example.

Example 5-5 WORDS in the INFORMATION LABELS Section

INFORMATION LABELS:

WORDS:

name= SYSTEM_ADMINISTRATION; sname= SYSADM; compartments= 19;
minclass= NEED_TO_KNOW;
name= MANUFACTURING; sname= MANUFACTURING; compartments= 18;
minclass= NEED_TO_KNOW;
name= ENGINEERING; sname= ENG; compartments= 17 20; minclass=NEED_TO_KNOW;
name= HUMAN_RESOURCES; sname= HR; compartments= 16; minclass=NEED_TO_KNOW;
name= MARKETING; sname= MRKTG; compartments= 15 20; minclass=NEED_TO_KNOW;
name= LEGAL; sname= LEGAL; compartments= 14; minclass= NEED_TO_KNOW;
name= FINANCE; sname= FINANCE; compartments= 13; minclass= NEED_TO_KNOW;
name= SALES; sname= SALES; compartments= 12; minclass= NEED_TO_KNOW;
name= EXECUTIVE_MGMNT_GROUP; sname= EMG; compartments= 11;
minclass= NEED_TO_KNOW;
name= ALL_DEPARTMENTS; sname= ALL; compartments= 11-20; minclass= NEED_TO_KNOW;
name= PROJECT_TEAM; sname= P_TEAM; compartments= 20; minclass= NEED_TO_KNOW;
name= DO_NOT_FORWARD; sname= NO_FORWD; minclass= INTERNAL; markings= 0;
access related;
name= RELEASE_AFTER_BETA; sname= AFTER_BETA; minclass= NEED_TO_KNOW;
markings= ~0 1 ~2; access related;
name= RELEASE_AFTER_FCS; sname= AFTER_FCS; minclass= NEED_TO_KNOW;
markings= ~0 ~1 2; access related;

REQUIRED COMBINATIONS:

COMBINATION CONSTRAINTS

Encoding the CLEARANCES

Because the clearance words are the same as the sensitivity labels words, the words in the following example are the same as those in Example 5-4.

Example 5-6 Modified WORDS in the CLEARANCES Section

CLEARANCES:

WORDS:

name= ALL_DEPARTMENTS; sname= ALL; compartments= 11-20; minclass= NEED_TO_KNOW;
name= EXECUTIVE_MANAGEMENT_GROUP; sname= EMG; compartments= 11;
minclass= NEED_TO_KNOW;
name= SALES; sname= SALES; compartments= 12; minclass= NEED_TO_KNOW;
name= FINANCE; sname= FINANCE; compartments= 13; minclass= NEED_TO_KNOW;
name= LEGAL; sname= LEGAL; compartments= 14; minclass= NEED_TO_KNOW;
name= MARKETING; sname= MRKTG; compartments= 15 20; minclass= NEED_TO_KNOW;
name= HUMAN_RESOURCES; sname= HR; compartments= 16; minclass= NEED_TO_KNOW;
name= ENGINEERING; sname= ENG; compartments= 17 20; minclass= NEED_TO_KNOW;
name= MANUFACTURING; sname= MANUFACTURING; compartments= 18; minclass= NEED_TO_
KNOW;
name= SYSTEM_ADMINISTRATION; sname= SYSADM; compartments= 19;
minclass= NEED_TO_KNOW;
name= PROJECT_TEAM; sname= P_TEAM; compartments= 20;
minclass= NEED_TO_KNOW;

REQUIRED COMBINATIONS:

COMBINATION CONSTRAINTS:

Encoding the CHANNELS

This example is encoded with one channel for each group name compartment, using the same compartment bits assigned to the compartment words in the SENSITIVITY LABELS: WORDS: section. The prefix is defined as DISTRIBUTE ONLY TO. The suffix is defined as (NON-DISCLOSURE AGREEMENT REQUIRED).

DISTRIBUTE ONLY TO GROUP_NAME (NON-DISCLOSURE AGREEMENT REQUIRED)

The channel specifications shown in the following example will create the desired wording in the handling caveats section.

The prefixes and suffixes are defined at the top of the section as shown in the following example, and they have no compartments assigned to them. They are used in defining the channels; each channel has a prefix and suffix assigned to it.

Example 5-7 Modified WORDS in the CHANNELS Section

CHANNELS:

WORDS:

name= DISTRIBUTE_ONLY_TO;       prefix;
name= EMPLOYEES (NON-DISCLOSURE AGREEMENT REQUIRED);
suffix;

name= EXECUTIVE_MANAGEMENT_GROUP;
prefix= DISTRIBUTE_ONLY_TO; compartments= 11;
suffix= EMPLOYEES (NON-DISCLOSURE AGREEMENT REQUIRED);
name= SALES; prefix= DISTRIBUTE_ONLY_TO; compartments= 12;
suffix= EMPLOYEES (NON-DISCLOSURE AGREEMENT REQUIRED);
name= FINANCE; prefix= DISTRIBUTE_ONLY_TO; compartments= 13;
suffix= EMPLOYEES (NON-DISCLOSURE AGREEMENT REQUIRED);
name= LEGAL; prefix= DISTRIBUTE_ONLY_TO; compartments= 14;
suffix= EMPLOYEES (NON-DISCLOSURE AGREEMENT REQUIRED);
name= MARKETING; prefix= DISTRIBUTE_ONLY_TO;
compartments= 15 20;
suffix= EMPLOYEES (NON-DISCLOSURE AGREEMENT REQUIRED);
name= HUMAN_RESOURCES; prefix= DISTRIBUTE_ONLY_TO;
compartments= 16;
suffix= EMPLOYEES (NON-DISCLOSURE AGREEMENT REQUIRED);
name= ENGINEERING; prefix= DISTRIBUTE_ONLY_TO;
compartments= 17 20;
suffix= EMPLOYEES (NON-DISCLOSURE AGREEMENT REQUIRED);
name= MANUFACTURING; prefix= DISTRIBUTE_ONLY_TO;
compartments= 18;
suffix= EMPLOYEES (NON-DISCLOSURE AGREEMENT REQUIRED);
name= SYSTEM_ADMINISTRATION; prefix= DISTRIBUTE_ONLY_TO;
compartments= 19;
suffix= EMPLOYEES (NON-DISCLOSURE AGREEMENT REQUIRED);
name= PROJECT_TEAM; prefix= DISTRIBUTE_ONLY_TO; compartments= 20;
suffix= EMPLOYEES (NON-DISCLOSURE AGREEMENT REQUIRED);

Encoding the PRINTER BANNERS

The term printer banners has a specialized meaning in the label_encodings(4) file, and it does not refer to the banner page that is printed before a job. Printer banners appear as a string on the printer banner page when the compartment associated with it appears in a job's label.

The printer banner specifications shown in the following example will create the desired wording in the PRINTER BANNERS section.

Any prefixes are defined at the top of the section as shown in the following example, and they have no compartments assigned to them. They are used in defining the PRINTER BANNERS; each printer banner has a prefix assigned to it.

Example 5-8 Modified WORDS in the PRINTER BANNERS Section

PRINTER BANNERS:

WORDS:

name= COMPANY PROPRIETARY/CONFIDENTIAL:;       prefix;

name= ALL_DEPARTMENTS; prefix= COMPANY PROPRIETARY/CONFIDENTIAL:;
suffix=(NON-DISCLOSURE AGREEMENT REQUIRED); compartments= 11-20;
name= EXECUTIVE_MANAGEMENT_GROUP; prefix= COMPANY PROPRIETARY/CONFIDENTIAL:;
suffix=(NON-DISCLOSURE AGREEMENT REQUIRED); compartments= 11;
name= SALES; prefix= COMPANY PROPRIETARY/CONFIDENTIAL:;
suffix=(NON-DISCLOSURE AGREEMENT REQUIRED); compartments= 12;
name= FINANCE; prefix= COMPANY PROPRIETARY/CONFIDENTIAL:;
suffix=(NON-DISCLOSURE AGREEMENT REQUIRED); compartments= 13;
name= LEGAL; prefix= COMPANY PROPRIETARY/CONFIDENTIAL:;
suffix=(NON-DISCLOSURE AGREEMENT REQUIRED); compartments= 14;
name= MARKETING; prefix= COMPANY PROPRIETARY/CONFIDENTIAL:;
suffix=(NON-DISCLOSURE AGREEMENT REQUIRED); compartments= 15 20;
name= HUMAN_RESOURCES; prefix= COMPANY PROPRIETARY/CONFIDENTIAL:;
suffix=(NON-DISCLOSURE AGREEMENT REQUIRED); compartments= 16;
name= ENGINEERING; prefix= COMPANY PROPRIETARY/CONFIDENTIAL:;
suffix=(NON-DISCLOSURE AGREEMENT REQUIRED); compartments= 17 20;
name= MANUFACTURING; prefix= COMPANY PROPRIETARY/CONFIDENTIAL:;
suffix=(NON-DISCLOSURE AGREEMENT REQUIRED); compartments= 18;
name= SYSTEM_ADMINISTRATION; prefix= COMPANY PROPRIETARY/CONFIDENTIAL:;
suffix=(NON-DISCLOSURE AGREEMENT REQUIRED); compartments= 19;
name= PROJECT_TEAM; prefix= COMPANY PROPRIETARY/CONFIDENTIAL:;
suffix=(NON-DISCLOSURE AGREEMENT REQUIRED); compartments= 20;

Encoding the ACCREDITATION RANGE

The combination constraints from the Table 5-3 and the minimum clearance, minimum sensitivity label and minimum protect as classification from Table 5-8 are encoded in the ACCREDITATION RANGE: example shown in the following example. PUBLIC and INTERNAL_USE_ONLY are defined so that these two classifications can never appear in a label with any compartment while NEED_TO_KNOW is defined so it can appear in a label with any combination of compartments, and REGISTERED with no compartments.

Example 5-9 Modified ACCREDITATION RANGE Section

ACCREDITATION RANGE:

classification= PUBLIC; only valid compartment combinations:

PUBLIC

classification= INTERNAL_USE_ONLY; only valid compartment combinations:

INTERNAL

classification= NEED_TO_KNOW; all compartment combinations valid;

classification= REGISTERED; only valid compartment combinations:

REGISTERED


minimum clearance= PUBLIC;
minimum sensitivity label= PUBLIC;
minimum protect as classification= PUBLIC;

Encoding the Wording for Label Builders, Colors, and Other LOCAL DEFINITIONS Values

The following example shows that none of the default values are changed at Solar Systems, Inc. for the default and forced flags, and Default Label View in the LOCAL DEFINITIONS section.

Example 5-10 Accepting Defaults in the LOCAL DEFINITIONS Section

LOCAL DEFINITIONS:


default flags= 0x0;                     
forced flags= 0x0;

Default Label View is External;

Encoding the Heading Names for Label Builders

The default settings for heading names used in label builders are shown in the following example.

Example 5-11 Default Heading Names for Label Builders

Classification Name= Class;
Compartments Name= Comps;

Label builders are displayed whenever you need to set a label. For example, the following figure shows a label builder with the heading names specified at the Solar Systems company: Classification instead of Class, and Departments instead of Comps.

Figure 5-8 Label Builder With Changed Headings

The following example shows the modifications the Solar System Security Administrator role made to change the default values set for the Classification Name, Compartments Name, and Markings Name.

Example 5-12 Modified Wording for Label Builders

Classification Name= Classification;
Compartments Name= Departments;

Encoding the COLOR NAMES

The color names used in Example 5-13 were taken from the worksheet in Table 5-9.

Example 5-13 COLOR NAMES Section

COLOR NAMES:

       	label= Admin_Low;       color= #bdbdbd;

        label= PUBLIC;        color= green;
        label= INTERNAL_USE_ONLY;  color= yellow;
        label= NEED_TO_KNOW;  color= blue;
        label= NEED_TO_KNOW EMG;  color= #7FA9EB;
        label= NEED_TO_KNOW SALES;  color= #87CEFF;
        label= NEED_TO_KNOW FINANCE;  color= #00BFFF;
        label= NEED_TO_KNOW LEGAL;  color= #7885D0;
        label= NEED_TO_KNOW MRKTG;  color= #7A67CD;
        label= NEED_TO_KNOW HR;  color= #7F7FFF;
        label= NEED_TO_KNOW ENG;  color= #007FFF;
        label= NEED_TO_KNOW MANUFACTURING;  color= #0000BF;
        label= NEED_TO_KNOW PROJECT_TEAM;  color= #9E7FFF;
        label= NEED_TO_KNOW SYSADM; color= #5B85D0;
        label= NEED_TO_KNOW ALL; color= #4D658D;
        label= REGISTERED;  color= red;

        label= Admin_High;      color= #636363;

*
* End of local site definitions

Configuring Users to Enforce Labeling Decisions

While setting up user accounts during the post-installation configuration, the Security Administrator role needs to specify the following for all users in the User Manager: Labels dialog (see the figure that follows the list).

• The appropriate clearance (in the Clearance dialog)

  See "Planning Clearances in a Worksheet ".

• The appropriate minimum label (in the Minimum SL Dialog Box)

• Show sensitivity labels

Configuring Printing To Enforce Labeling Decisions

The Security Administrator role needs to configure the following when setting up printers:

Configure the label range on printers based on their accessibility as described in "Rules for Configuring Printers".

The Security Administrator role needs to do the following to allow the company's technical writers to print PostScript files and to print without labels on their output:

1. Give the writers the print a PostScript file and the print without labels authorizations.

2. For printing files from a desktop publishing system such as FrameMaker, inform each user to save (print) the file as a PostScript file and to use lp with the -o nolabels option when printing the PostScript file.

3. Set aside a specific printer that the writers can use to print jobs without labels.

   1. For a printer server running the unlabeled Solaris operating system, do the following.

      1. Specify a label for the print server that matches the label at which users are working when they send jobs to the printer.

         For example, if documents are created at INTERNAL, the print server should be configured with the INTERNAL label, while if documents are created at PUBLIC, the print server should have the PUBLIC label. See "Managing Printing" in the Trusted Solaris Administrator's Procedures for how to specify a default label for an unlabeled print server.

         ---

         Note -

         When a printer is connected to an unlabeled print server, no labels or labeled banner/trailer pages are printed.

         ---

      2. If desired, set up a separate .login file in the single-level directory (SLD) at the appropriate label for each of the writers so that the PRINTER variable is set to be the special-use printer.

   2. If the print server for the writers' printer is running Trusted Solaris, do one of the following:

      1. Make sure the printer is configured so that the Always Print Banners check box is not selected on the Print Manager dialog box.

      2. To turn off page labels for all print jobs sent by anyone, on the Trusted Solaris print server make the change shown in the following example in the /usr/lib/lp/postscript/tsol.separator.ps file.

         %% To eliminate page labels completely, change this line to %% set the page label to an empty string: /PageLabel () def /PageLabel () def