One type of discretionary access control based on a list of entries that the owner can specify for a file or directory. An access control list (ACL) can restrict or permit access to any number of individuals and groups, allowing finer-grained control than provided by the standard UNIX permission bits.
A set of sensitivity labels that are approved for a class of users or resources. See also system accreditation range and user accreditation range.
See access control list.
A set of valid labels. See accreditation range and user accreditation range for more about the two types of accreditation ranges in the Trusted Solaris environment.
A role that in the Trusted Solaris environment gives required authorizations, privileged commands, and the Trusted Path security attribute to allow the role to perform part of Solaris superuser's capabilities, such as backup or auditing.
A device to which access is controlled in the Trusted Solaris environment by making the device allocatable to a single user at a time. Allocatable devices include tape drives, floppy drives, audio devices, and CDROM devices. See device allocation.
The allowed set of privileges limits which privileges a process can use. A process that runs a program that has a forced privilege set limits that program to the forced privileges that are also in the process' allowed privilege set.
A right granted to a user or role to perform an action that would otherwise not be allowed by the Trusted Solaris security policy. Authorizations are granted in rights profiles. Certain commands require the user to have certain authorizations to succeed. Similar to the use of privilege on programs.
In CDE the search path used by the system to find applications and certain configuration information. The application search path is controlled by a trusted role.
A system type that caches all of its needed system software from an OS server. Because it contains no permanent data, an AutoClient is a field replaceable unit (FRU). It requires a small local disk for swapping and for caching its individual root (/) and /usr file systems from an OS server. The Trusted Solaris operating environment does not support autoclients.
A user-defined Bourne shell script, specified within the rules file, that performs tasks before the Trusted Solaris software is installed on the system. Begin scripts can be used only with custom JumpStart installations.
A file that is consulted when a system boots. In the Trusted Solaris operating environment, the bootparams file contains a keyword=value entry that points the boot server to the Trusted Solaris label configuration for the system. A system can have a local bootparams file (/etc/bootparams), or it can use the bootparams NIS+ table. See bootparams(4).
A server that provides boot services to hosts on the same subnet. A boot server is required if you plan to push Trusted Solaris information from a central location to every host in the network. If the install server is on a different subnet than the hosts that need to install the Trusted Solaris software, you must create a boot server for that subnet.
The upper bound of the set of labels at which a user may work, whose lower bound is the minimum label assigned by the security administrator. There are two types of clearance, the session clearance and the user clearance.
A system connected to a network.
A network of Trusted Solaris systems that is cut off from any non-Trusted Solaris host. The cutoff can be physical, where there is no wire that extends past the Trusted Solaris network. The cutoff can be in the software, where the Trusted Solaris hosts recognize only Trusted Solaris hosts. Data entry from outside the network is restricted to peripherals attached to Trusted Solaris systems. Contrast with open network.
A logical grouping of software packages. The Trusted Solaris software is divided into four main software groups, which are each composed of clusters and packages.
Consists of the string ADMIN_LOW
followed by a sensitivity label in brackets, in the form: ADMIN_LOW [SENSITIVITY LABEL].
The required windowing environment for administering the Trusted Solaris software.
An optional setup file in a multilabel environment. The file contains the names of startup files, such as .cshrc or .netscape, that the user environment or user applications require in order for the environment or application to behave well. The files referenced in .copy_files are then copied to the user's home directory at other labels, when those directories are created. See also .link_files.
A software group that contains the minimum software required to boot and run the Solaris operating environment on a system. It includes some networking software and the drivers required to run the OpenWindows environment; it does not include the windowing software. The Trusted Solaris installation program does not offer a core software group, since the Common Desktop Environment is the required administration environment.
A file that contains a picture of the state of a system when it crashed. Also called a core dump.
A type of installation in which the Trusted Solaris software is automatically installed on a system based on a customized profile. You can customize profiles for different types of users.
A profile that is dynamically created by a begin script during a custom JumpStart installation.
Devices include printers, computers, tape drives, floppy drives, audio devices, and internal pseudo terminal devices. Devices are subject to the read equal write equal MAC policy.
A mechanism for protecting the information on an allocatable device from access by anybody except the user who allocates the device. Until a device is deallocated, no one but the user who allocated a device can access any information associated with the device. For a user to allocate a device, that user must have been granted the device allocation authorization by the security administrator.
A software group that contains the End User System Support software group plus the libraries, include files, man pages, and programming tools for developing software.
The type of access granted or denied by the owner of a file or directory at the discretion of the owner. The Trusted Solaris environment provides two kinds of discretionary access controls (DAC): permission bits and access control list.
A file that represents a structure of a disk (for example, bytes/sector, flags, slices). Disk configuration files enable you to use pfinstall from a single system to test profiles on different sized disks.
A part of the Internet naming hierarchy. It represents a group of systems on a local network that share administrative files.
IP address whose last number is 0.
The identification of a group of systems on a local network. A domain name consists of a sequence of component names separated by periods (for example: tundra.mpk.ca.us). As you read a domain name from left to right, the component names identify more general (and usually remote) areas of administrative authority.
A software group that contains the core software group plus the recommended software for an end user, including OpenWindows and DeskSet software.
A software group that contains the entire Trusted Solaris release.
A software group contains the entire Trusted Solaris release, plus additional hardware support for OEMs. This software group is recommended when installing Trusted Solaris software on servers.
Extended Industry Standard Architecture. A type of bus on x86 systems. EISA bus standards are "smarter" that ISA bus systems, and attached devices can be automatically detected when they have been configured via the "EISA configurator" program supplied with the system. See ISA.
A directory that contains critical system configuration files and maintenance commands.
One or more Trusted Solaris systems which are running in a configuration that has been certified as meeting specific criteria by a certification authority. In the United States, those criteria are the TCSEC and the evaluating and certifying body is the NSA. The Trusted Solaris 8 4/01 operating environment will be certified to the Common Criteria v2.1 [August 1999], an ISO standard, to Evaluation Assurance Level (EAL) 4, and against a number of protection profiles which provide functionality similar to the TCSEC C2 and B1 levels, with some additional functionality.
One or more Trusted Solaris systems which are running in a configuration that has been certified as meeting specific criteria by a certification authority. The Trusted Solaris 8 4/01 operating environment will be certified to the Common Criteria v2.1 [published in August 1999], an ISO standard, to Evaluation Assurance Level (EAL) 4, and against a number of protection profiles. The Common Criteria v2 (CCv2) and protection profiles make the earlier TCSEC U.S. standard obsolete through level B1+. A mutual recognition agreement for CCv2 has been signed by the United States, the United Kingdom, Canada, the Netherlands, Germany, and France.
The Trusted Solaris 8 4/01 configuration target provides functionality similar to the TCSEC C2 and B1 levels, with some additional functionality.
Renamed to rights profiles in the Solaris 8 release.
A file system on an OS server that is shared with other systems on a network. For example, the /export file system can contain the home directories for users on the network.
A logical partition of a disk drive dedicated to a particular operating system on x86 systems. During the Solaris installation program, you must set up at least one Solaris fdisk partition on an x86 system. x86 systems are designed to support up to four different operating systems on each drive; each operating system must reside on a unique fdisk partition.
A server that provides the software and file storage for systems on a network.
These sets are the allowed and forced privileges specified for use by executable files (programs). The allowed set limits which privileges a process can use, whether the privileges are forced on the executable file or inherited (see inheritable privileges). Any privileges in the forced privilege set are available to any process that invokes the program, as long as they are also in the allowed set.
A collection of files and directories that, when set into a logical hierarchy, make up an organized, structured set of information. File systems can be mounted from your local system or a remote system.
A user-defined Bourne shell script, specified within the rules file, that performs tasks after the Trusted Solaris software is installed on the system, but before the system reboots. Finish scripts can be used only with JumpStart installations.
The forced set of privileges are those placed on a file by the security administrator. Any privileges in the forced privilege set are available to any process that invokes the program, as long as they are also in the allowed privilege set.
Government Furnished Information. In this manual, it refers to a U.S. government-provided label_encodings file. In order to use a GFI with Trusted Solaris software, you must add the Sun-specific LOCAL DEFINITIONS section to the end of the GFI. Trusted Solaris Label Administration explains the procedure in detail.
The name by which a system is known to other systems on a network. This name must be unique among all the systems within a given domain (usually, this means within any single organization). A host name can be any combination of letters, numbers, and minus sign (-), but it cannot begin or end with a minus sign.
Intel Architecture.
The privileges that a process can pass to a program across an execve() without their being affected by the new program's forced or allowed privilege sets. When a new program is executed by a process, the inheritable set of the process is set to be equal to the inheritable set of the old program. The inheritable set is not affected by the forced or allowed privileges on the currently executing program, which allows privileges to be passed from programs that cannot use them to programs that can.
The minimum label assigned to a user or role, and the label of the user's initial workspace. It is the lowest label at which the user or role can work.
An option presented during the Trusted Solaris installation program that overwrites the disk(s) with the new version of Trusted Solaris software. The initial installation option is the only installation option supported in the Trusted Solaris release.
A server that provides the Trusted Solaris installation image for other systems on a network to boot and install from (also known as a media server). The Trusted Solaris installation image can reside on the install server's CDROM drive or hard disk.
A team of at least two people who together oversee the installation of a Trusted Solaris system. One team member is responsible for security decisions, and the other for system administration decisions.
A type of installation where you have full hands-on interaction with the Trusted Solaris installation program to install the Trusted Solaris software on a system.
Internet protocol address. A unique number that identifies a networked system so it can communicate via Internet protocols. It consists of four numbers separated by periods. Most often, each part of the IP address is a number between 0 and 225; however, the first number must be less than 224 and the last number cannot be 0.
IP addresses are logically divided into two parts: the network (similar to a telephone area code), and the system on the network (similar to a phone number).
Industry Standard Architecture. A type of bus found in x86 systems. ISA bus systems are "dumb" and provide no mechanism the system can use to detect and configure devices automatically. See EISA.
When using a diskette for custom JumpStart installations, the JumpStart directory is the root directory on the diskette that contains all the essential custom JumpStart files. When using a server for custom JumpStart installations, the JumpStart directory is a directory on the server that contains all the essential custom JumpStart files.
A type of installation in which the Solaris software is automatically installed on a system by using factory-installed JumpStart software. The Trusted Solaris release does not offer this option; all JumpStart installations in the Trusted Solaris installation program are custom JumpStart installations.
See platform group.
A security identifier assigned to a file or directory based on the level at which the information being stored in that file or directory should be protected. Depending on how the security administrator has configured the user, a user may see the complete CMW label,
only the sensitivity label portion, only the ADMIN_LOW
portion, or no labels at all. See label_encodings file.
A Trusted Solaris installation choice of: single- or multilabel sensitivity labels; if multilabel, hide or show upgraded file names. Unless circumstances are unusual, label configuration should be identical on all systems in the Trusted Solaris domain.
A labeled host sends labeled network packets, such as RIPSO, CIPSO, and TSIX(RE1.1) packets. All Trusted Solaris hosts are labeled hosts.
The file where the complete CMW label is defined, as are label view, admin_low and admin_high strings, default label visibility, and all other aspects of labels.
A set of sensitivity labels assigned to commands, file systems, and allocatable devices, specified by designating a maximum label and a minimum label. For commands, the minimum and maximum labels limit the sensitivity labels at which the command may be executed. For file systems, the minimum and maximum labels limit the sensitivity labels at which information may be stored on each file system. Trusted Solaris environments have multilabel file systems configured with a label range from the lowest sensitivity label to the highest sensitivity label. Remote hosts that do not recognize labels are assigned a single sensitivity label, along with any other hosts that the security administrator wishes to restrict to a single label; labels limit the sensitivity labels at which devices may be allocated and restrict thesensitivity labels at which information can be stored or processed using the device.
Label view flags control the translation and display of the internal ADMIN_LOW
and ADMIN_HIGH
labels. A value of External specifies that the actual label ADMIN_LOW
displays as the lowest label name in the user accreditation range specified in the label_encodings file, and that the actual label ADMIN_HIGH
displays as the highest label name in the user accreditation range.
A value of Internal specifies that the ADMIN_LOW
and ADMIN_HIGH
labels are translated to the Admin Low Name and Admin High Name strings specified in the label_encodings file.
An optional setup file in a multilabel environment. The file contains the names of startup files, such as .cshrc or .netscape, that the user environment or user applications require in order for the environment or application to behave well. The files referenced in .link_files are then linked to the user's home directory at other labels, when those directories are created. See also .copy_files.
A specific language associated with a region or territory.
Access control based on comparing the sensitivity label of a file, directory, or device to the sensitivity label of the process that is trying to access it. The MAC rule -- write up, read down (WURD) -- applies when a process at one sensitivity label attempts to read or write to a file at another sensitivity label. The MAC rule -- write equal, read down -- applies when a process at one sensitivity label attempts to write to a directory at another sensitivity label. The MAC rule -- read equal, write equal -- applies when a process at one sensitivity label attempts to write to a device at another sensitivity label
Micro Channel Architecture. A type of bus on IA systems. The MCA bus provides fast data transfer within the computer, and attached devices can be automatically detected when they have been configured using the reference disk provided by the manufacturer. The MCA bus is not compatible with devices for other buses.
See install server.
The lower bound of a user's sensitivity labels and the lower bound of all users' sensitivity labels. The minimum label set by the security administrator when specifying a user's security attributes is the sensitivity label of the first workspace that comes up after the user's first login. The sensitivity label specified in the minimum label field by the security administrator in the label_encodings file sets the lower bound for all users.
See multilevel directory.
The process of making a remote or local file system accessible by executing the mount command. To mount a file system, you need a mount point on the local system and the name of the file system to be mounted (for example, /usr).
A directory on a system where you can mount a file system that exists on the local or a remote system.
A directory in which information at differing sensitivity label is maintained in separate subdirectories called single-level directories (SLDs), while appearing to most interfaces to be a single directory under a single name. In the Trusted Solaris environment, directories that are used by multiple standard applications to store files at varying labels, such as the /tmp directory, /var/spool/mail, and users' $HOME directories, are set up to be MLDs. A user working in an MLD sees only files at the sensitivity label of the user's process.
Also called name service master. A server that provides a name service to systems on a network.
A distributed network database that contains key system information about all the systems on a network, so the systems can communicate with each other. With a name service, the system information can be maintained, managed, and accessed on a network-wide basis. Sun supports the following name services: NIS (formerly YP) and NIS+. Without a name service, each system has to maintain its own copy of the system information (in the local /etc files).
A way to install software over the network--from a system with a CDROM drive to a system without a CDROM drive. Network installations require a name server and an install server.
A group of systems (called hosts) connected through hardware and software, so they can communicate and share information; referred to as a local area network (LAN). One or more servers are usually needed when systems are networked.
Network Information Service, Plus. The name service for a Trusted Solaris network. NIS+ provides automatic information updating and adds security features such as authorization and authentication.
See NIS+ root master.
The host that contains the master tables for a NIS+ network. Also called a root master or a NIS+ master.
Computers that are not connected to a network or do not rely on other hosts.
A network of Trusted Solaris systems that is connected physically to other networks and that uses Trusted Solaris software to communicate with non-Trusted Solaris systems. Contrast with closed network.
A file system that contains the mount points for third-party and unbundled software.
A system that provides services to systems on a network.
When software that has been proved to be able satisfy the criteria for an evaluated configuration, is configured with settings that do not satisfy security criteria, it is described as being outside the evaluated configuration.
A functional grouping of files and directories that form a software application. The Trusted Solaris software is divided into four main software groups, which are each composed of clusters and packages.
A disk partition is a slice of the disk.
A type of discretionary access control in which the owner specifies a set of bits to signify who can read, write, or execute a file or directory. Three different sets of permissions are assigned to each file or directory: one set for the owner; one set for all members of the group specified for the file or directory; and one set for all others.
The output of the uname -m command. A vendor-defined grouping of hardware platforms for the purpose of distributing specific software. Examples of valid platform names are i86pc, sun4c. Often called kernel architecture.
The output of the uname -i command. For example, the platform name for the SPARCstation IPX is SUNW,Sun_4_50.
The person entrusted to create new rights profiles for the organization, and to fix machine difficulties that are beyond the power of the security administrator and system administrator combined. This role should be assumed rarely. After initial security configuration, more secure sites can choose not to create this role, and not to assign any role the Primary Administrator profile.
A right granted to a process executing a command that allows the command or one or more of its options to bypass some aspect of security policy. A privilege is only granted by a site's security administrator after the command itself or the person using it has been judged to be able to use that privilege in a trustworthy manner.
An action that executes a command on behalf of the user who invokes the command. A process receives a number of security attributes from the user, including the user ID (UID), the group ID (GID), the supplementary group list, and the user's audit ID (AUID). Security attributes received by a process include any privileges available to the command being executed, the process clearance (which is set to be the same as the session clearance) and the sensitivity label of the current workspace.
A text file used as a template by the custom JumpStart installation software. It defines how to install the Trusted Solaris software on a system (for example, initial installation option, system type, disk partitioning, software group), and it is named in the rules file.
A special shell that recognizes privileges. A profile shell typically limits users to fewer commands, but can allow these commands to run with privilege. The profile shell is the default shell of a trusted role.
A system that is not part of the Trusted Solaris NIS+ domain. A remote host can be an unlabeled host or a labeled host.
Previously, execution profiles. A bundling mechanism for commands and CDE actions and for the security attributes assigned to the commands and CDE actions. Rights profiles allow Trusted Solaris administrators to control who can execute which commands and to control the attributes these commands have when they are executed. When a user logs in, all rights assigned to that user are in effect, and the user has access to all the commands, CDE actions, and authorizations assigned in all of that user's rights profiles.
A role is like a user, except that a role cannot log in. Roles are limited to a particular set of commands and CDE actions. See administrative role.
The file system at the top of the hierarchical file tree on a system. The root directory contains the directories and files critical for system operation, such as the kernel, device drivers, and the programs used to start (boot) a system.
See NIS+ root master.
A series of values that assigns one or more system attributes to a profile.
A text file used to create the rules.ok file. The rules file is a look-up table consisting of one or more rules that define matches between system attributes and profiles.
A generated version of the rules file. It is required by the custom JumpStart installation software to match a system to a profile. You use the check script to create the rules.ok file.
In an organization where sensitive information must be protected, the person or persons who define and enforce the site's security policy and who are cleared to access all information being processed at the site. In the Trusted Solaris software environment, an administrative role that is assigned to one or more individuals who have the proper clearance and whose task is to configure the security attributes of all users and hosts so that the software enforces the site's security policy. In contrast, see system administrator.
An attribute used in enforcing the Trusted Solaris security policy. Various sets of security attributes, both in the base Solaris and the Trusted Solaris environments, are assigned to processes, users, files, directories, hosts on the trusted network, allocatable devices, and other entities.
In the Trusted Solaris environment, the set of DAC, MAC, and labeling rules that define how information may be accessed. At a customer site, the set of rules that define the sensitivity of the information being processed at that site and the measures that are used to protect the information from unauthorized access.
A security label assigned to a file or directory or process, which is used to limit access based on the security level of the data contained.
A directory within an MLD containing files at only a single sensitivity label. When a user working at a particular sensitivity label changes into an MLD, the user's working directory actually changes to a single-label directory within the MLD, whose sensitivity label is the same as the sensitivity label at which the user is working.
An area on a disk composed of a single range of contiguous blocks. A slice is a physical subset of a disk (except for slice 2, which by convention represents the entire disk). A disk can be divided into eight slices. Before you can create a file system on a disk, you must format it into slices.
A logical grouping of the Solaris software (clusters and packages). During a Solaris installation, you can install one of the following software groups: core, end user system software, developer system support, or entire distribution. In the Trusted Solaris environment, core and end user software are identical.
A Java-based administrative action for Solaris and Trusted Solaris systems. Located in the Application Manager, it contains toolboxes of administrative programs. Most system, network, and user administration is done using the Console toolboxes.
A system that has its own / (root) file system, swap space, and /usr file system, which reside on its local disk(s); it does not require boot or software services from an OS server. A standalone system can be connected to a network, but it does not have to be.
A working scheme that divides a single logical network into smaller physical networks to simplify routing.
A bit mask, which is 32 bits long, used to determine important network or system information from an IP address.
Disk space used for virtual memory storage when the system does not have enough system memory to handle current processes. Also known as the /swap or swap file system.
Generic name for a computer. After installation, a system on a network is often referred to as a host.
The set of all valid (well-formed) labels created according to the rules defined by each site's security administrator in the label_encodings file, plus the two administrative labels that are used in every Trusted Solaris environment, ADMIN_LOW
and ADMIN_HIGH
.
In the Trusted Solaris environment, the trusted role assigned to the user or users responsible for performing standard system management tasks such as setting up the non-security-relevant portions of user accounts. In contrast, see security administrator.
One of several different ways a system can be set up to run the Trusted Solaris software. Valid system types are: standalone system and OS server.
Any of the 24 longitudinal divisions of the earth's surface for which a standard time is kept.
The Trusted Network Remote Host DataBase, accessible either as a file in /etc/security/tsol/tnrhdb or as a name service map or table.
The Trusted Network Remote Host TemPlate, accessible either as a file in /etc/security/tsol/tnrhtp, or as a name service map or table.
A collection of programs in the Solaris Management Console. In the Trusted Solaris environment, administrators are presented with a selection of toolboxes, one for every name service (Files, NIS+, and NIS). Each toolbox has programs usable in the scope of the toolbox. For example, the Interface Manager, which handles the machine's tnidb database, exists only in the Files toolbox, since its scope is always local. The User Accounts program exists in all toolboxes, since an administrator can choose to create a local user (Files), as well as one that can log in to any machine in the name service (NIS+ or NIS toolboxes).
tnrhtp, the Trusted Network Remote Host TemPlate and tnrhdb, the Trusted Network Remote Host DataBase together define the remote hosts that a Trusted Solaris domain can communicate with.
See administrative role.
(1) A menu-driven, interactive program that enables you to set up a system and install the Trusted Solaris software on it. (2) Any part of the software that is used to install the Trusted Solaris software on a system.
A region that cannot be spoofed along the bottom of the screen, which by default provides the following as visual feedback about the state of the window system: a trusted path indicator and window sensitivity label. When sensitivity labels are configured to not be viewable for a user, the trusted stripe is reduced to an icon that displays only the trusted path indicator.
The profiles attributes database, accessible either as files in /etc/security/prof_attr and /etc/security/exec_attr, or as NIS+ tables. After configuration, it contains rights profiles provided by the Trusted Solaris software.
The User Attributes database, accessible either as a file in /etc/security/user_attr or as a NIS+ table. After configuration, it contains roles provided by the Trusted Solaris software.
An option presented during the Solaris installation program. The upgrade procedure merges the new version of Solaris with existing files on your disk(s), and it saves as many local modifications as possible since the last time Solaris was installed. The upgrade option is not available with the Trusted Solaris 7 release.
A system that sends unlabeled network packets, such as one running the Solaris 8 operating environment.
The set of all possible labels at which any normal user may work on the system, as defined by each site's security administrator. The rules for well-formed labels that define the system accreditation range are additionally restricted by the values specified in the ACCREDITATION RANGE section of the site's label_encodings(4) file: the upper bound, the lower bound, the combination constraints and other restrictions.
The clearance assigned by the security administrator that sets the upper bound of the set of labels at which one particular user may work at any time. The user may decide to accept or further restrict that clearance during any particular login session, when setting the session clearance after log in.
A file system on a standalone system or server that contains many of the standard UNIX programs. Sharing a large file system with a server rather than maintaining a local copy minimizes the overall disk space required to install and run the Trusted Solaris software on a system.
A file system or directory (on standalone systems) containing system files that are likely to change or grow over the life of the system. These include system logs, vi files, mail files, and uucp files.
A program that provides a mechanism to administer and obtain access to the data on CDROMs and diskettes.