Oracle Solaris Trusted Extensions User's Guide

Chapter 4 Elements of Trusted Extensions (Reference)

This chapter explains the key elements of Solaris Trusted Extensions. This chapter covers the following topics:

Visible Features of Trusted Extensions

After you have successfully completed the login process, as explained in Chapter 2, Logging In to Trusted Extensions (Tasks), you can work within Trusted Extensions. Your work is subject to security restrictions. Restrictions that are specific to Trusted Extensions include the label range of the system, your clearance, and your choice of a single-level or multilevel session. As the following figure illustrates, four features distinguish a system that is configured with Trusted Extensions from a Solaris system. To view the features on a Trusted JDS desktop, see Figure 1–5.

Figure 4–1 Multilevel Trusted CDE Desktop

Screen shows labels on windows and icons, the trusted
stripe with the trusted symbol and workspace label.

Labels on Trusted Extensions Desktops

As discussed in Mandatory Access Control, all applications and files in Trusted Extensions have labels. Trusted Extensions displays labels in the following locations:

Figure 4–2 Panels Indicating Workspaces at Different Labels in Trusted JDS

Graphic shows four panels with different labels and different
windows in each labeled workspace.

Figure 4–1 shows how labels display on a Trusted CDE desktop. Figure 1–5 shows how labels display on a Trusted JDS desktop. The Query Window Label menu item can be used to display the label of a window. For an illustration, see Figure 3–5.

Trusted Stripe

In Trusted CDE, the trusted stripe appears in a reserved area at the bottom of the screen in all Trusted Extensions sessions. In Trusted JDS, the trusted stripe appears at the top of the screen.

The purpose of the trusted stripe is to give you a visual confirmation that you are in a legitimate Trusted Extensions session. The stripe indicates when you are interacting with the trusted computing base (TCB). The stripe also displays the labels of your current workspace and current window. The trusted stripe cannot be moved or obscured by other windows or dialog boxes.

In Trusted CDE, the trusted stripe has two elements:

Figure 4–3 PUBLIC Window Label in the Trusted Stripe

Screen shows the trusted stripe without the trusted symbol
and with a workspace label of PUBLIC.

In Trusted JDS, the trusted stripe has two additional elements:

Figure 4–4 Trusted Stripe on the Trusted JDS Desktop

The graphic shows the trusted stripe.

Trusted Symbol

Whenever you access any portion of the TCB, the trusted symbol appears at the left of the trusted stripe area. If your configuration suppresses labels, then the trusted symbol appears with the trusted stripe. In Trusted CDE, the symbol appears to the left of the Front Panel. In Trusted JDS, the symbol appears at the left of the trusted stripe.

Illustration shows the trusted symbol.

The trusted symbol is not displayed when the pointer is focused in a window or area of the screen that does not affect security. The trusted symbol cannot be forged. If you see the symbol, you can be sure that you are safely interacting with the TCB.

Caution – Caution –

If the trusted stripe is missing from your workspace, contact the security administrator. The problem with your system could be serious.

The trusted stripe should not appear during login, or when you lock your screen. If the trusted stripe shows, contact the administrator immediately.

Window Label Indicator

The Window Label indicator displays the label of the active window. In a multilevel session, the indicator can help identify windows with different labels in the same workspace. The indicator can also show that you are interacting with the TCB. For example, when you change your password, the Trusted Path indicator displays in the trusted stripe.

Figure 4–5 Trusted Path Indicator in the Trusted Stripe

Screen shows the trusted stripe without the trusted symbol
and with a label of Trusted Path.

Device Security in Trusted Extensions

By default in Trusted Extensions, devices are protected by device allocation requirements. Users cannot use a device without being given explicit authorization to allocate devices, and an allocated device cannot be used by another user. A device in use at one label cannot be used at another label until it is deallocated from the first label and allocated at the second label.

To use a device, see How to Allocate a Device in Trusted Extensions.

Files and Applications in Trusted Extensions

All applications in Trusted Extensions have a level of sensitivity that is indicated by their label. Applications are subjects in any data transactions. Subjects must dominate the objects that the subjects try to access. Objects can be files and sometimes other processes can be objects. The label information for an application is displayed in the window label stripe. The label is visible when a window is open and when a window is minimized. An application's label also appears in the trusted stripe when the pointer is in the application's window.

In Trusted Extensions, files are objects in data transactions. Files can be accessed only by applications whose labels dominate the files' labels. A file can be viewed from windows that have the same label as the file.

Some applications use initialization files to configure the environment for the user. Two special files in your home directory help you access initialization files at every label. These files enable an application at one label to use an initialization file that originates in a directory at a different label. The two special files are .copy_files and .link_files.

.copy_files File

The .copy_files file stores file names to be copied when you first change to a workspace with a higher label. This file is stored in your home directory at your minimum label. This file is useful when you have an application that always writes to a file in your home directory with a specific name. The .copy_files file enables you to specify that the application update the file at every label.

.link_files File

The .link_files file stores file names to be linked when you first change to a workspace with a higher label. This file is stored in your home directory at your minimum label. The .link_files file is useful when a specific file needs to be available at multiple labels, but the content must be identical at every label.

Password Security in the Solaris OS

Users who change passwords on a frequent basis shorten the window of opportunity for intruders to use illegally obtained passwords. Therefore, your site's security policy can require you to change your password regularly. The Solaris OS can set content requirements for passwords and enforce password resetting requirements. The following are possible resetting requirements:

If your administrator has implemented one of the preceding options, you are sent an email message that warns you to change your password prior to the cutoff date.

Passwords can have content criteria. At minimum, passwords in the Solaris OS must meet the following criteria:

You can change your password by using the Change Password menu item from the Trusted Path menu. For the steps, see Performing Trusted Actions.

Front Panel Security (Trusted CDE)

The Front Panel in Solaris Trusted Extensions (CDE) is very similar to the Front Panel that is used in the standard CDE. The Trusted Extensions Front Panel restricts access to only those applications, files, and utilities that you are allowed to use. By clicking mouse button 3 anywhere in the workspace switch area, the Trusted Path menu is displayed.

Before you can access a device through the Removable Media Manager, that device must be allocated by using the Device Allocation Manager. The Device Allocation Manager is accessed from the Tools subpanel, which is above the Style Manager icon in the Front Panel.

Tip –

If you minimize the Front Panel, you can restore the panel by clicking anywhere in the trusted stripe.

In Trusted Extensions, Install Icon drop sites are limited to the applications and files that you are permitted to use at the label of the current workspace.

For more information about the standard CDE, see the Common Desktop Environment User's Guide.

Workspace Switch Area

In Trusted Extensions, the workspace buttons not only define separate workspaces, but they also require you to work at particular labels. When you begin a multilevel session, each workspace is set to the lowest label that you can use. If your administrator has color-coded the labels at your site, the workspace buttons display the color of the label. The Trusted Path menu is available from the workspace switch area.

Trusted Path Menu

The Trusted Path menu contains menu items that affect security, as the following figure shows.

Figure 4–6 Trusted Path Menu – Basic

Screen shows the basic Trusted Path menu.

For example, you change your password or allocate devices with this menu. For details, see Performing Trusted Actions.

In Trusted CDE, the Trusted Path menu has a second version. The Workspace Name version includes additional workspace options. The selections that appear in your menu depend on how the administrator configured your account.

Figure 4–7 Trusted Path Menu – Workspace Name Version

Screen shows the Trusted Path menu that is accessed from
a workspace switch in Trusted CDE.

Clock Security

In Trusted Extensions, only an administrator can change the date and time that is set for your workstation.

Calendar Security

The calendar shows the appointments for you at the label of your current workspace only. To view appointments at a different label, you need to open the calendar at that label.

File Manager Security

In Trusted Extensions, the File Manager displays files at the label of the current workspace. To view files at more than one label at a time, you run the File Manager from workspaces at different labels. You then use the Occupy Workspace command to display the different File Manager windows in the same workspace.

The File Manager enables you to change a file or folder's basic permissions and access control list (ACL). If you are authorized, you can also move or link files between File Managers at different labels. For details about File Manager use, see How to View Your Files in a Labeled Workspace and Performing Trusted Actions.

Text Editor Security

A text editor can be used to edit files at the label of the current workspace only. If you are authorized, you can copy information between text editors at different labels.

Personal Applications Subpanel

The default applications in the Personal Applications subpanel operate similarly to the standard CDE environment. The Terminal icon opens the default shell that is assigned to you by your administrator. To access a web server, the label of your browser must be the same as the label of the web server.

Mailer Security

In Trusted Extensions, all mail messages are labeled. When you send a message, it is sent at the label of your mail application. Only hosts and users that are cleared for that label receive the message. Only users who are working at that label can view the message.

If you need to use the vacation message option in your mail application, you must explicitly enable vacation message replies for each label at which you typically receive mail. Check with your security administrator for your site's security policy on vacation messages.

Printer Security

The Print Manager in the Personal Printers subpanel displays icons for all printers that are accredited up to your clearance. However, you can use only those printers that are accredited to print documents at the label of the current workspace.

A typical print job in Trusted Extensions includes labels and extra pages, as follows:

A typical banner page appears in the following figure. The words JOB START indicate the banner page.

Figure 4–8 Typical Banner Page of a Labeled Print Job

Illustration shows job number and handling instructions
on a typical print banner page.

For the exact security information regarding printing at your site, see your administrator.

Style Manager Security

With three exceptions, the Style Manager operates in the same manner as on a Solaris system.

Application Manager Security

The Application Manager provides access to only those applications and utilities that your administrator has assigned to you. In a role, you have access to a different set of applications and capabilities. Remember that the ability of a function to operate on a file depends on the label of the current workspace.

Similarly, although you can add applications to the Personal Application subpanel by dropping icons onto the Install Icon drop site, you can only run an application if your administrator has assigned the application to you.

Trash Can Security

In Trusted Extensions, the trash can stores files to be deleted by label. Although you can drop files at any label in the trash can, the trash can displays files at the current label only. You must delete sensitive information as soon as the information is in the trash can.

Workspace Security (Trusted JDS)

In Trusted Extensions, Trusted JDS provides equivalent security to Trusted CDE, but the look and feel is different. As in Trusted CDE, desktop applications are label-aware. Applications run at the label of the current workspace, and display information only at the label of the process that opened the application.

The location of security features differs in Trusted JDS from their location in Trusted CDE. The behavior can also be different.