JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Oracle Solaris Trusted Extensions Label Administration     Oracle Solaris 11 Express 11/10
search filter icon
search icon

Document Information

Preface

1.  Labels in Trusted Extensions Software (Overview)

2.  Planning Labels in Trusted Extensions(Tasks)

3.  Creating a Label Encodings File (Tasks)

4.  Labeling Printer Output (Tasks)

5.  Customizing the LOCAL DEFINITIONS Section (Tasks)

6.  Planning an Organization's Encodings File (Example)

Identifying the Site's Label Requirements

Satisfying Information Protection Goals

Trusted Extensions Features That Address Labeling and Access

Climbing the Security Learning Curve

Analyzing the Requirements for Each Label

Requirements for CONFIDENTIAL: INTERNAL_USE_ONLY

Requirements for CONFIDENTIAL: NEED_TO_KNOW

Requirements for CONFIDENTIAL: REGISTERED

Names of Groups With NEED_TO_KNOW Label

Understanding the Set of Labels

Defining the Set of Labels

Planning the Classifications

Planning the Compartments

Planning the Use of Words in MAC

Planning the Use of Words in Labeling System Output

Planning Unlabeled Printer Output

Planning for Supporting Procedures

Rules for Protecting a REGISTERED File or Directory

Rules for Configuring Printers

Rules for Handling Printer Output

Planning the Classification Values in a Worksheet

Planning the Compartment Values and Combination Constraints in a Worksheet

Planning the Clearances in a Worksheet

Planning the Printer Banners in a Worksheet

Planning the Channels in a Worksheet

Planning the Minimum Labels in an Accreditation Range

Planning the Colors in a Worksheet

Editing and Installing the label_encodings File

Specifying the Version

Specifying the Classifications

Specifying the Sensitivity Labels

Specifying the Information Labels

Specifying the Clearances

Specifying the Channels

Specifying the Printer Banners

Specifying the Accreditation Range

Specifying the Local Definitions

Specifying the Default User Labels

Specifying the Column Headings in Label Builders

Specifying the Color Names

Configuring Users and Printers for Labels

A.  Encodings File for SecCompany (Example)

Index

Editing and Installing the label_encodings File

The SecCompany setup team for Trusted Extensions makes a printed copy and an online copy of the installed label_encodings file. The copy is used in case of problems with the new version of the file that the security administrator supplies.

The security administrator uses a text editor to create the label_encodings file and then uses the chk_encodings -a command to check the file. After the file passes all semantic and syntactic checks, the security administrator backs up the current version of the label_encodings file, and installs the new label_encodings file.

Specifying the Version

The following example shows the SecCompany VERSION string in the label_encodings file.

Example 6-2 SecCompany VERSION String

VERSION= SecCompany, Inc. Example Version - 2.2 10/10/20

Specifying the Classifications

The following example shows the SecCompany classifications and values from Table 6-2 in the CLASSIFICATIONS section.

Example 6-3 SecCompany CLASSIFICATIONS Section

CLASSIFICATIONS:

name= PUBLIC; sname= PUB; value= 1;
name= INTERNAL_USE_ONLY; sname= IUO; aname= IUO; value= 4;
name= NEED_TO_KNOW; sname= NTK; aname= NTK; value= 5;
name= REGISTERED; sname= REG; aname= REG; value= 6;

Note - A classification cannot contain the slash (/) or comma (,) character. The classifications are specified from the lowest value to the highest.


Specifying the Sensitivity Labels

The compartments from Table 6-3 are specified in the following example. The labels do not have any required combinations or combination constraints.

Example 6-4 SecCompany WORDS in the SENSITIVITY LABELS Section

SENSITIVITY LABELS:

WORDS:

name= ALL_DEPARTMENTS; sname= ALL; compartments= 11-20; minclass= NEED_TO_KNOW;
name= EXECUTIVE_MANAGEMENT_GROUP; sname= EMGT; compartments= 11;minclass= NEED_TO_KNOW;
name= SALES; sname= SALES; compartments= 12; minclass= NEED_TO_KNOW;
name= FINANCE; sname= FIN; compartments= 13; minclass= NEED_TO_KNOW;
name= LEGAL; sname= LEGAL; compartments= 14; minclass= NEED_TO_KNOW;
name= MARKETING; sname= MKTG; compartments= 15 20; minclass= NEED_TO_KNOW;
name= HUMAN_RESOURCES; sname= HR; compartments= 16; minclass= NEED_TO_KNOW;
name= ENGINEERING; sname= ENG; compartments= 17 20; minclass= NEED_TO_KNOW;
name= MANUFACTURING; sname= MFG; compartments= 18; minclass= NEED_TO_KNOW;
name= SYSTEM_ADMINISTRATION; sname= SYSADM; compartments= 19; minclass= NEED_TO_KNOW;
name= PROJECT_TEAM; sname= P_TEAM; compartments= 20; minclass= NEED_TO_KNOW;

REQUIRED COMBINATIONS:

COMBINATION CONSTRAINTS:

Specifying the Information Labels

Even though information labels are not used, values must be supplied under the INFORMATION LABELS: WORDS: section of the label_encodings file for the file to pass the encodings check. The security administrator copies the words from the SENSITIVITY LABELS: WORDS: section. The result is shown in the following example.

Example 6-5 SecCompany WORDS in the INFORMATION LABELS Section

INFORMATION LABELS:

WORDS:

name= ALL_DEPARTMENTS; sname= ALL; compartments= 11-20; minclass= NEED_TO_KNOW;
name= EXECUTIVE_MANAGEMENT_GROUP; sname= EMGT; compartments= 11;minclass= NEED_TO_KNOW;
name= SALES; sname= SALES; compartments= 12; minclass= NEED_TO_KNOW;
name= FINANCE; sname= FIN; compartments= 13; minclass= NEED_TO_KNOW;
name= LEGAL; sname= LEGAL; compartments= 14; minclass= NEED_TO_KNOW;
name= MARKETING; sname= MKTG; compartments= 15 20; minclass= NEED_TO_KNOW;
name= HUMAN_RESOURCES; sname= HR; compartments= 16; minclass= NEED_TO_KNOW;
name= ENGINEERING; sname= ENG; compartments= 17 20; minclass= NEED_TO_KNOW;
name= MANUFACTURING; sname= MFG; compartments= 18; minclass= NEED_TO_KNOW;
name= SYSTEM_ADMINISTRATION; sname= SYSADM; compartments= 19; minclass= NEED_TO_KNOW;
name= PROJECT_TEAM; sname= P_TEAM; compartments= 20; minclass= NEED_TO_KNOW;

REQUIRED COMBINATIONS:

COMBINATION CONSTRAINTS

Specifying the Clearances

Because the clearance words are the same as the sensitivity labels words, the words in the following example are the same as the words in Specifying the Sensitivity Labels.

Example 6-6 SecCompany WORDS in the CLEARANCES Section

CLEARANCES:

WORDS:

name= ALL_DEPARTMENTS; sname= ALL; compartments= 11-20; minclass= NEED_TO_KNOW;
name= EXECUTIVE_MANAGEMENT_GROUP; sname= EMGT; compartments= 11;minclass= NEED_TO_KNOW;
name= SALES; sname= SALES; compartments= 12; minclass= NEED_TO_KNOW;
name= FINANCE; sname= FIN; compartments= 13; minclass= NEED_TO_KNOW;
name= LEGAL; sname= LEGAL; compartments= 14; minclass= NEED_TO_KNOW;
name= MARKETING; sname= MKTG; compartments= 15 20; minclass= NEED_TO_KNOW;
name= HUMAN_RESOURCES; sname= HR; compartments= 16; minclass= NEED_TO_KNOW;
name= ENGINEERING; sname= ENG; compartments= 17 20; minclass= NEED_TO_KNOW;
name= MANUFACTURING; sname= MFG; compartments= 18; minclass= NEED_TO_KNOW;
name= SYSTEM_ADMINISTRATION; sname= SYSADM; compartments= 19; minclass= NEED_TO_KNOW;
name= PROJECT_TEAM; sname= P_TEAM; compartments= 20; minclass= NEED_TO_KNOW;

REQUIRED COMBINATIONS:

COMBINATION CONSTRAINTS:

Specifying the Channels

The security administrator specifies one channel for each group name compartment. Each channel uses the same compartment bits that are assigned to the compartment words in the SENSITIVITY LABELS: WORDS: section. The prefix is defined as DISTRIBUTE_ONLY_TO. The suffix is defined as (NON-DISCLOSURE AGREEMENT REQUIRED). The following is the proposed wording for handling instructions:

DISTRIBUTE_ONLY_TO group-name (NON-DISCLOSURE AGREEMENT REQUIRED)

The channel specifications in the following example create this wording.


Note - No compartments are assigned to the prefixes and suffixes. The prefixes and suffixes are used to define the channels.


Example 6-7 SecCompany WORDS in the CHANNELS Section

CHANNELS:

WORDS:

name= DISTRIBUTE_ONLY_TO;       prefix;
name= EMPLOYEES (NON-DISCLOSURE AGREEMENT REQUIRED);    suffix;

name= ALL_DEPARTMENTS; prefix= DISTRIBUTE_ONLY_TO; compartments= 11-20;
suffix= EMPLOYEES (NON-DISCLOSURE AGREEMENT REQUIRED);
name= EXECUTIVE_MANAGEMENT_GROUP; prefix= DISTRIBUTE_ONLY_TO; compartments= 11;
suffix= EMPLOYEES (NON-DISCLOSURE AGREEMENT REQUIRED);
name= SALES; prefix= DISTRIBUTE_ONLY_TO; compartments= 12;
suffix= EMPLOYEES (NON-DISCLOSURE AGREEMENT REQUIRED);
name= FINANCE; prefix= DISTRIBUTE_ONLY_TO; compartments= 13;
suffix= EMPLOYEES (NON-DISCLOSURE AGREEMENT REQUIRED);
name= LEGAL; prefix= DISTRIBUTE_ONLY_TO; compartments= 14;
suffix= EMPLOYEES (NON-DISCLOSURE AGREEMENT REQUIRED);
name= MARKETING; prefix= DISTRIBUTE_ONLY_TO; compartments= 15 20;
suffix= EMPLOYEES (NON-DISCLOSURE AGREEMENT REQUIRED);
name= HUMAN_RESOURCES; prefix= DISTRIBUTE_ONLY_TO; compartments= 16;
suffix= EMPLOYEES (NON-DISCLOSURE AGREEMENT REQUIRED);
name= ENGINEERING; prefix= DISTRIBUTE_ONLY_TO; compartments= 17 20;
suffix= EMPLOYEES (NON-DISCLOSURE AGREEMENT REQUIRED);
name= MANUFACTURING; prefix= DISTRIBUTE_ONLY_TO; compartments= 18;
suffix= EMPLOYEES (NON-DISCLOSURE AGREEMENT REQUIRED);
name= SYSTEM_ADMINISTRATION; prefix= DISTRIBUTE_ONLY_TO; compartments= 19;
suffix= EMPLOYEES (NON-DISCLOSURE AGREEMENT REQUIRED);
name= PROJECT_TEAM; prefix= DISTRIBUTE_ONLY_TO; compartments= 20;
suffix= EMPLOYEES (NON-DISCLOSURE AGREEMENT REQUIRED);

Specifying the Printer Banners


Note - The term printer banner has a specialized meaning in the label_encodings file. A printer banner appears as a string on the banner page of printed output when the compartment that is associated with the printer banner string is part of a job's label.


The SecCompany PRINTER BANNERS section is shown in the following example. For a sample banner page, see Figure 4-2.


Note - No compartments are assigned to the prefixes and suffixes.


Example 6-8 SecCompany WORDS in the PRINTER BANNERS Section

PRINTER BANNERS:

WORDS:

name= SECCOMPANY CONFIDENTIAL:;          prefix;
name= (NON-DISCLOSURE AGREEMENT REQUIRED);     suffix;

name= ALL_DEPARTMENTS; prefix= SECCOMPANY CONFIDENTIAL:;
compartments= 11-20; suffix=(NON-DISCLOSURE AGREEMENT REQUIRED);
name= EXECUTIVE_MANAGEMENT_GROUP; prefix= SECCOMPANY CONFIDENTIAL:;
compartments= 11; suffix=(NON-DISCLOSURE AGREEMENT REQUIRED);
name= SALES; prefix= SECCOMPANY CONFIDENTIAL:;
compartments= 12; suffix=(NON-DISCLOSURE AGREEMENT REQUIRED);
name= FINANCE; prefix= SECCOMPANY CONFIDENTIAL:;
compartments= 13; suffix=(NON-DISCLOSURE AGREEMENT REQUIRED);
name= LEGAL; prefix= SECCOMPANY CONFIDENTIAL:;
compartments= 14 20; suffix=(NON-DISCLOSURE AGREEMENT REQUIRED);
name= MARKETING; prefix= SECCOMPANY CONFIDENTIAL:;
compartments= 15; suffix=(NON-DISCLOSURE AGREEMENT REQUIRED);
name= HUMAN_RESOURCES; prefix= SECCOMPANY CONFIDENTIAL:;
compartments= 16; suffix=(NON-DISCLOSURE AGREEMENT REQUIRED);
name= ENGINEERING; prefix= SECCOMPANY CONFIDENTIAL:;
compartments= 17 20; suffix=(NON-DISCLOSURE AGREEMENT REQUIRED);
name= MANUFACTURING; prefix= SECCOMPANY CONFIDENTIAL:;
compartments= 18; suffix=(NON-DISCLOSURE AGREEMENT REQUIRED);
name= SYSTEM_ADMINISTRATION; prefix= SECCOMPANY CONFIDENTIAL:;
compartments= 19; suffix=(NON-DISCLOSURE AGREEMENT REQUIRED);
name= PROJECT_TEAM; prefix= SECCOMPANY CONFIDENTIAL:;
compartments= 20; suffix=(NON-DISCLOSURE AGREEMENT REQUIRED);

Specifying the Accreditation Range

The ACCREDITATION RANGE: section in the following example shows the combination constraints from Table 6-3, and the minimum clearance, minimum sensitivity label, and minimum “Protect As” classification from Planning the Minimum Labels in an Accreditation Range. PUBLIC, INTERNAL_USE_ONLY, and REGISTERED are defined to never appear in a label with any compartment. NEED_TO_KNOW is defined to appear in a label with any combination of compartments.

Example 6-9 SecCompany ACCREDITATION RANGE Section

ACCREDITATION RANGE:

classification= PUBLIC; only valid compartment combinations:
PUB

classification= INTERNAL_USE_ONLY; only valid compartment combinations:
IUO

classification= NEED_TO_KNOW; all compartment combinations valid;

classification= REGISTERED; only valid compartment combinations:
REG

minimum clearance= PUB;
minimum sensitivity label= PUB;
minimum protect as classification= PUB;

Specifying the Local Definitions

SecCompany sets the default user labels, and customizes column headings and colors in the LOCAL DEFINITIONS section.

Specifying the Default User Labels

SecCompany enables all users to access the PUBLIC label.

Example 6-10 SecCompany Default User Labels

Default User Sensitivity Label= PUB;
Default User Clearance= PUB;
Specifying the Column Headings in Label Builders

A label builder is displayed whenever the user needs to set a label. The SecCompany security administrator modified the Compartments column heading to Departments.

Example 6-11 SecCompany Column Headings in the label_encodings File

Classification Name= Classification;
Compartments Name= Departments;
Specifying the Color Names

The security administrator used the worksheet in Table 6-8 to complete the Color Names section.

Example 6-12 SecCompany COLOR NAMES Section

COLOR NAMES:

        label= Admin_Low;       color= #BDBDBD;

        label= PUBLIC;        color= green;
        label= INTERNAL_USE_ONLY;  color= yellow;
        label= NEED_TO_KNOW;  color= blue;
        label= NEED_TO_KNOW EMGT;  color= #7FA9EB;
        label= NEED_TO_KNOW SALES;  color= #87CEFF;
        label= NEED_TO_KNOW FIN;  color= #00BFFF;
        label= NEED_TO_KNOW LEGAL;  color= #7885D0;
        label= NEED_TO_KNOW MKTG;  color= #7A67CD;
        label= NEED_TO_KNOW HR;  color= #7F7FFF;
        label= NEED_TO_KNOW ENG;  color= #007FFF;
        label= NEED_TO_KNOW MFG;  color= #0000BF;
        label= NEED_TO_KNOW P_TEAM;  color= #9E7FFF;
        label= NEED_TO_KNOW SYSADM; color= #5B85D0;
        label= NEED_TO_KNOW ALL; color= #4D658D;
        label= REGISTERED;  color= red;

        label= Admin_High;      color= #636363;

*
* End of local site definitions