One type of discretionary access control based on a list of entries that the owner can specify for a file or directory. An access control list (ACL) can restrict or permit access to any number of individuals and groups, allowing finer-grained control than provided by the standard UNIX permission bits.
A set of sensitivity labels that are approved for a class of users or resources. See also workstation accreditation range and user accreditation range.
See access control list.
A set of valid labels. See accreditation range and user accreditation range for more about the two types of accreditation ranges in the Trusted Solaris environment.
A role that in the Trusted Solaris environment gives required authorizations, privileged commands, and the Trusted Path security attribute to allow the role to perform part of Solaris superuser's capabilities, such as backup or auditing.
See information label.
A device to which access is controlled in the Trusted Solaris environment by making the device allocatable to a single user at a time. Allocatable devices include tape drives, floppy drives, audio devices, and CDROM devices. See device allocation.
The allowed set of privileges limits which privileges a process can use. A process that runs a program that has a forced privilege set limits that program to the forced privileges that are also in the process' allowed privilege set.
A right granted to a user or role to perform an action that would otherwise not be allowed by the Trusted Solaris security policy. Authorizations are granted in execution profiles. Certain commands require the user to have certain authorizations to succeed. Similar to the use of privilege on programs.
In CDE the search path used by the system to find applications and certain configuration information. The application search path is controlled by a trusted role.
A system type that caches all of its needed system software from an OS server. Because it contains no permanent data, an AutoClient is a field replaceable unit (FRU). It requires a small local disk for swapping and for caching its individual root (/) and /usr file systems from an OS server. Trusted Solaris does not support autoclients.
A user-defined Bourne shell script, specified within the rules file, that performs tasks before the Trusted Solaris software is installed on the system. Begin scripts can be used only with custom JumpStart installations.
A file that is consulted when a workstation boots. In Trusted Solaris, the bootparams file contains a keyword=value entry that points the boot server to the Trusted Solaris label configuration for the workstation. A workstation can have a local bootparams file (/etc/bootparams), or it can use the bootparams NIS+ table. See bootparams(4).
A server that provides boot services to workstations on the same subnet. A boot server is required if you plan to push Trusted Solaris information from a central location to every workstation in the system. If the install server is on a different subnet than the workstations that need to install the Trusted Solaris software, you must create a boot server for that subnet.
The upper bound of the set of labels at which a user may work, whose lower bound is the minimum label assigned by the security administrator. There are two types of clearance, the session clearance and the user clearance.
A workstation connected to a network.
A closed network is a network of Trusted Solaris workstations that is cut off from any non-Trusted Solaris workstation. The cutoff can be physical, where there is no wire that extends past the Trusted Solaris network. The cutoff can be in the software, where the Trusted Solarisworkstations recognize only Trusted Solarisworkstations. Data entry from outside the network is restricted to peripherals attached to Trusted Solarisworkstations.
A logical grouping of software packages. The Trusted Solaris software is divided into four main software groups, which are each composed of clusters and packages.
Consists of an ADMIN_LOW
information label followed by a sensitivity label in brackets, in the form: ADMIN_LOW [SENSITIVITY LABEL].
The required windowing environment for administering the Trusted Solaris software.
An optional setup file in a multilabel environment. The file contains the names of startup files, such as .cshrc or .netscape, that the user environment or user applications require in order for the environment or application to behave well. The files referenced in .copy_files are then copied to the user's home directory at other labels, when those directories are created. See also .link_files.
A software group that contains the minimum software required to boot and run the Solaris operating environment on a system. It includes some networking software and the drivers required to run the OpenWindows environment; it does not include the windowing software. Trusted Solaris does not offer a core software group, since the Common Desktop Environment is the required administration environment.
A file that contains a picture of the state of a system when it crashed. Also called a core dump.
A type of installation in which the Trusted Solaris software is automatically installed on a system based on a customized profile. You can customize profiles for different types of users.
A profile that is dynamically created by a begin script during a custom JumpStart installation.
Devices include printers, workstations, tape drives, floppy drives, audio devices, and internal pseudo terminal devices. Devices are subject to the read equal write equal MAC policy.
A mechanism for protecting the information on an allocatable device from access by anybody except the user who allocates the device. Until a device is deallocated, no one but the user who allocated a device can access any information associated with the device. For a user to allocate a device, that user must have been granted the device allocation authorization by the security administrator.
A software group that contains the End User System Support software group plus the libraries, include files, man pages, and programming tools for developing software.
The type of access granted or denied by the owner of a file or directory at the discretion of the owner. The Trusted Solaris environment provides two kinds of discretionary access controls (DAC): permission bits and access control list.
A file that represents a structure of a disk (for example, bytes/sector, flags, slices). Disk configuration files enable you to use pfinstall from a single system to test profiles on different sized disks.
A part of the Internet naming hierarchy. It represents a group of systems on a local network that share administrative files.
IP address whose last number is 0.
The identification of a group of systems on a local network. A domain name consists of a sequence of component names separated by periods (for example: tundra.mpk.ca.us). As you read a domain name from left to right, the component names identify more general (and usually remote) areas of administrative authority.
A software group that contains the core software group plus the recommended software for an end user, including OpenWindows and DeskSet software.
A software group that contains the entire Trusted Solaris release.
A software group contains the entire Trusted Solaris release, plus additional hardware support for OEMs. This software group is recommended when installing Trusted Solaris software on servers.
Extended Industry Standard Architecture. A type of bus on x86 systems. EISA bus standards are "smarter" that ISA bus systems, and attached devices can be automatically detected when they have been configured via the "EISA configurator" program supplied with the system. See ISA.
A directory that contains critical system configuration files and maintenance commands.
One or more Trusted Solaris workstations which are running in a configuration that has been certified as meeting specific criteria by a certification authority. In the United States, those criteria are the TCSEC and the evaluating and certifying body is the NSA. Trusted Solaris 8 will be certified to the Common Criteria v2.1 [August 1999], an ISO standard, to Evaluation Assurance Level (EAL) 4, and against a number of protection profiles which provide functionality similar to the TCSEC C2 and B1 levels, with some additional functionality.
One or more Trusted Solaris workstations which are running in a configuration that has been certified as meeting specific criteria by a certification authority. Trusted Solaris 8 will be certified to the Common Criteria v2.1 [published in August 1999], an ISO standard, to Evaluation Assurance Level (EAL) 4, and against a number of protection profiles. The Common Criteria v2 (CCv2) and protection profiles make the earlier TCSEC U.S. standard obsolete through level B1+. A mutual recognition agreement for CCv2 has been signed by the United States, the United Kingdom, Canada, the Netherlands, Germany, and France.
The Trusted Solaris 8 configuration target provides functionality similar to the TCSEC C2 and B1 levels, with some additional functionality.
Renamed rights profiles in the Solaris 8 release. A bundling mechanism for commands and CDE actions and for the security attributes assigned to the commands and CDE actions. Rights profiles allow Trusted Solaris administrators to control who can execute which commands and to control the attributes these commands have when they are executed. When a user logs in, all rights assigned to that user are in effect, and the user has access to all the commands, CDE actions, and authorizations assigned in all of that user's rights profiles.
A file system on an OS server that is shared with other systems on a network. For example, the /export file system can contain the home directories for users on the network.
A logical partition of a disk drive dedicated to a particular operating system on x86 systems. During the Solaris installation program, you must set up at least one Solaris fdisk partition on an x86 system. x86 systems are designed to support up to four different operating systems on each drive; each operating system must reside on a unique fdisk partition.
A server that provides the software and file storage for systems on a network.
These sets are the allowed and forced privileges specified for use by executable files (programs). The allowed set limits which privileges a process can use, whether the privileges are forced on the executable file or inherited (see inheritable privileges). Any privileges in the forced privilege set are available to any process that invokes the program, as long as they are also in the allowed set.
A collection of files and directories that, when set into a logical hierarchy, make up an organized, structured set of information. File systems can be mounted from your local system or a remote system.
A user-defined Bourne shell script, specified within the rules file, that performs tasks after the Trusted Solaris software is installed on the system, but before the system reboots. Finish scripts can be used only with JumpStart installations.
The forced set of privileges are those placed on a file by the security administrator. Any privileges in the forced privilege set are available to any process that invokes the program, as long as they are also in the allowed privilege set.
Government Furnished Information. In this manual, it refers to a U.S. government-provided label_encodings file. In order to use a GFI with Trusted Solaris software, you must add the Sun-specific LOCAL DEFINITIONS section to the end of the GFI. Trusted Solaris Label Administration explains the procedure in detail.
The name by which a system is known to other systems on a network. This name must be unique among all the systems within a given domain (usually, this means within any single organization). A host name can be any combination of letters, numbers, and minus sign (-), but it cannot begin or end with a minus sign.
Intel Architecture.
A label that signifies the actual security level of the information contained in a file or directory, and which may be used in deciding whether to downgrade the sensitivity label of the file or directory, how to physically label information stored on backup media, and how to handle printed output or mail. Also known as an advisory label. Trusted Solaris 7 and later releases no longer support information labels.
The privileges that a process can pass to a program across an execve() without their being affected by the new program's forced or allowed privilege sets. When a new program is executed by a process, the inheritable set of the process is set to be equal to the inheritable set of the old program. The inheritable set is not affected by the forced or allowed privileges on the currently executing program, which allows privileges to be passed from programs that cannot use them to programs that can.
The minimum label assigned to a user or role, and the label of the user's initial workspace. It is the lowest label at which the user or role can work.
An option presented during the Trusted Solaris installation program that overwrites the disk(s) with the new version of Trusted Solaris. The initial installation option is the only installation option supported in the Trusted Solaris release.
A server that provides the Trusted Solaris installation image for other systems on a network to boot and install from (also known as a media server). The Trusted Solaris installation image can reside on the install server's CDROM drive or hard disk.
A team of at least two people who together oversee the installation of a Trusted Solaris workstation. One team member is responsible for security decisions, and the other for system administration decisions.
A type of installation where you have full hands-on interaction with the Trusted Solaris installation program to install the Trusted Solaris software on a system.
Internet protocol address. A unique number that identifies a networked system so it can communicate via Internet protocols. It consists of four numbers separated by periods. Most often, each part of the IP address is a number between 0 and 225; however, the first number must be less than 224 and the last number cannot be 0.
IP addresses are logically divided into two parts: the network (similar to a telephone area code), and the system on the network (similar to a phone number).
Industry Standard Architecture. A type of bus found in x86 systems. ISA bus systems are "dumb" and provide no mechanism the system can use to detect and configure devices automatically. See EISA.
When using a diskette for custom JumpStart installations, the JumpStart directory is the root directory on the diskette that contains all the essential custom JumpStart files. When using a server for custom JumpStart installations, the JumpStart directory is a directory on the server that contains all the essential custom JumpStart files.
A type of installation in which the Solaris software is automatically installed on a system by using factory-installed JumpStart software. The Trusted Solaris release does not offer this option; all JumpStart installations in Trusted Solaris are custom JumpStart installations.
See platform group.
A security identifier assigned to a file or directory based on the level at which the information being stored in that file or directory should be protected. Depending on how the security administrator has configured the user, a user may see the complete CMW label, only the sensitivity label portion, only the information label portion, or no labels at all. See label_encodings file.
A Trusted Solaris installation choice of: single- or multilabel sensitivity labels; if multilabel, hide or show upgraded file names. Unless circumstances are unusual, label configuration should be identical on all workstations in the Trusted Solaris domain.
A labeled workstation sends labeled network packets, such as RIPSO, CIPSO, TSIX(RE1.1), and MSIX packets. All Trusted Solaris workstations are labeled workstations.
The file where the complete CMW label is defined, as are label view, admin_low and admin_high strings, default label visibility, and all other aspects of labels.
A set of sensitivity labels assigned to commands, file systems, and allocatable devices, specified by designating a maximum label and a minimum label. For commands, the minimum and maximum labels limit the sensitivity labels at which the command may be executed. For file systems, the minimum and maximum labels limit the sensitivity labels at which information may be stored on each file system. Trusted Solaris environments have multilabel file systems configured with a label range from the lowest sensitivity label to the highest sensitivity label. Remote hosts that do not recognize labels are assigned a single sensitivity label, along with any other hosts that the security administrator wishes to restrict to a single label; labels limit the sensitivity labels at which devices may be allocated and restrict thesensitivity labels at which information can be stored or processed using the device.
Label view flags control the translation and display of the internal ADMIN_LOW
and ADMIN_HIGH
labels. A value of External specifies that the actual label ADMIN_LOW
displays as the lowest label name in the user accreditation range specified in the label_encodings file, and that the actual label ADMIN_HIGH
displays as the highest label name in the user accreditation range.
A value of Internal specifies that the ADMIN_LOW
and ADMIN_HIGH
labels are translated to the Admin Low Name and Admin High Name strings specified in the label_encodings file.
An optional setup file in a multilabel environment. The file contains the names of startup files, such as .cshrc or .netscape, that the user environment or user applications require in order for the environment or application to behave well. The files referenced in .link_files are then linked to the user's home directory at other labels, when those directories are created. See also .copy_files.
A specific language associated with a region or territory.
Access control based on comparing the sensitivity label of a file, directory, or device to the sensitivity label of the process that is trying to access it. The MAC rule -- write up, read down (WURD) -- applies when a process at one sensitivity label attempts to read or write to a file at another sensitivity label. The MAC rule -- write equal, read down -- applies when a process at one sensitivity label attempts to write to a directory at another sensitivity label. The MAC rule -- read equal, write equal -- applies when a process at one sensitivity label attempts to write to a device at another sensitivity label
Micro Channel Architecture. A type of bus on IA systems. The MCA bus provides fast data transfer within the computer, and attached devices can be automatically detected when they have been configured using the reference disk provided by the manufacturer. The MCA bus is not compatible with devices for other buses.
See install server.
The lower bound of a user's sensitivity labels and the lower bound of all users' sensitivity labels. The minimum label set by the security administrator when specifying a user's security attributes is the sensitivity label of the first workspace that comes up after the user's first login. The sensitivity label specified in the minimum label field by the security administrator in the label_encodings file sets the lower bound for all users.
See multilevel directory.
The process of making a remote or local file system accessible by executing the mount command. To mount a file system, you need a mount point on the local system and the name of the file system to be mounted (for example, /usr).
A directory on a system where you can mount a file system that exists on the local or a remote system.
A directory in which information at differing sensitivity label is maintained in separate subdirectories called single-level directories (SLDs), while appearing to most interfaces to be a single directory under a single name. In the Trusted Solaris environment, directories that are used by multiple standard applications to store files at varying labels, such as the /tmp directory, /var/spool/mail, and users' $HOME directories, are set up to be MLDs. A user working in an MLD sees only files at the sensitivity label of the user's process.
A server that provides a name service to systems on a network.
A distributed network database that contains key system information about all the systems on a network, so the systems can communicate with each other. With a name service, the system information can be maintained, managed, and accessed on a network-wide basis. Sun supports the following name services: NIS (formerly YP) and NIS+. Without a name service, each system has to maintain its own copy of the system information (in the local /etc files).
A way to install software over the network--from a system with a CDROM drive to a system without a CDROM drive. Network installations require a name server and an install server.
A group of workstations (called hosts) connected through hardware and software, so they can communicate and share information; referred to as a local area network (LAN). One or more servers are usually needed when systems are networked.
Network Information Service, Plus. The name service for a Trusted Solaris network. NIS+ provides automatic information updating and adds security features such as authorization and authentication.
See NIS+ root master.
The workstation that contains the master tables for a NIS+ network. Also called a root master or a NIS+ master.
Workstations that are not connected to a network or do not rely on other workstations.
An open network is a network of Trusted Solaris workstations that is connected physically to other networks and that uses Trusted Solaris software to communicate with non-Trusted Solaris workstations. Contrast with closed network.
A file system that contains the mount points for third-party and unbundled software.
A system that provides services to systems on a network.
When software that has been proved to be able satisfy the criteria for an evaluated configuration, is configured with settings that do not satisfy security criteria, it is described as being outside the evaluated configuration.
A functional grouping of files and directories that form a software application. The Trusted Solaris software is divided into four main software groups, which are each composed of clusters and packages.
A disk partition is a slice of the disk.
A type of discretionary access control in which the owner specifies a set of bits to signify who can read, write, or execute a file or directory. Three different sets of permissions are assigned to each file or directory: one set for the owner; one set for all members of the group specified for the file or directory; and one set for all others.
The output of the uname -m command. A vendor-defined grouping of hardware platforms for the purpose of distributing specific software. Examples of valid platform names are i86pc, sun4c. Often called kernel architecture.
The output of the uname -i command. For example, the platform name for the SPARCstation IPX is SUNW,Sun_4_50.
The person entrusted to create new rights profiles for the organization, and to fix machine difficulties that are beyond the power of the security administrator and system administrator combined. This role should be assumed rarely. After initial security configuration, more secure sites can choose not to create this role, and not to assign any role the Primary Administrator profile.
A right granted to a process executing a command that allows the command or one or more of its options to bypass some aspect of security policy. A privilege is only granted by a site's security administrator after the command itself or the person using it has been judged to be able to use that privilege in a trustworthy manner.
An action that executes a command on behalf of the user who invokes the command. A process receives a number of security attributes from the user, including the user ID (UID), the group ID (GID), the supplementary group list, and the user's audit ID (AUID). Security attributes received by a process include any privileges available to the command being executed, the process clearance (which is set to be the same as the session clearance), the sensitivity label of the current workspace, and an information label. If the label configuration option RESET IL ON EXEC is selected, the information label is set to be the lowest viewable label in the system when a new process is started. The information label floats if any information at a higher information label is accessed by the process.
A text file used as a template by the custom JumpStart installation software. It defines how to install the Trusted Solaris software on a system (for example, initial installation option, system type, disk partitioning, software group), and it is named in the rules file.
A special shell that recognizes privileges. A profile shell typically limits users to fewer commands, but can allow these commands to run with privilege. The profile shell is the default shell of a trusted role.
A workstation that is not part of the Trusted Solaris NIS+ domain. A remote host can be an unlabeled workstation or a labeled workstation.
Renamed from execution profiles in the Solaris 8 release.
A role is like a user, except that a role cannot log in. Roles are limited to a particular set of commands and CDE actions. See administrative role.
The file system at the top of the hierarchical file tree on a system. The root directory contains the directories and files critical for system operation, such as the kernel, device drivers, and the programs used to start (boot) a system.
See NIS+ root master.
A series of values that assigns one or more system attributes to a profile.
A text file used to create the rules.ok file. The rules file is a look-up table consisting of one or more rules that define matches between system attributes and profiles.
A generated version of the rules file. It is required by the custom JumpStart installation software to match a system to a profile. You use the check script to create the rules.ok file.
In an organization where sensitive information must be protected, the person or persons who define and enforce the site's security policy and who are cleared to access all information being processed at the site. In the Trusted Solaris software environment, an administrative role that is assigned to one or more individuals who have the proper clearance and whose task is to configure the security attributes of all users and workstations so that the software enforces the site's security policy. In contrast, see system administrator.
An attribute used in enforcing the Trusted Solaris security policy. Various sets of security attributes, both in the base Solaris and the Trusted Solaris environments, are assigned to processes, users, files, directories, hosts on the trusted network, allocatable devices, and other entities.
In the Trusted Solaris environment, the set of DAC, MAC, and information labeling rules that define how information may be accessed. At a customer site, the set of rules that define the sensitivity of the information being processed at that site and the measures that are used to protect the information from unauthorized access.
A security label assigned to a file or directory or process, which is used to limit access based on the security level of the data contained.
A directory within an MLD containing files at only a single sensitivity label. When a user working at a particular sensitivity label changes into an MLD, the user's working directory actually changes to a single-label directory within the MLD, whose sensitivity label is the same as the sensitivity label at which the user is working.
An area on a disk composed of a single range of contiguous blocks. A slice is a physical subset of a disk (except for slice 2, which by convention represents the entire disk). A disk can be divided into eight slices. Before you can create a file system on a disk, you must format it into slices.
A logical grouping of the Solaris software (clusters and packages). During a Solaris installation, you can install one of the following software groups: core, end user system software, developer system support, or entire distribution. In the Trusted Solaris environment, core and end user software are identical.
A Java-based administrative action for Solaris and Trusted Solaris systems. Located in the Application Manager, it contains toolboxes of administrative programs. Most system, network, and user administration is done using the Console toolboxes.
A system that has its own / (root) file system, swap space, and /usr file system, which reside on its local disk(s); it does not require boot or software services from an OS server. A standalone system can be connected to a network, but it does not have to be.
A working scheme that divides a single logical network into smaller physical networks to simplify routing.
A bit mask, which is 32 bits long, used to determine important network or system information from an IP address.
Disk space used for virtual memory storage when the system does not have enough system memory to handle current processes. Also known as the /swap or swap file system.
Generic name for a workstation. After installation, a system is often called a host.
The set of all valid (well-formed) labels created according to the rules defined by each site's security administrator in the label_encodings file, plus the two administrative labels that are used in every Trusted Solaris environment, ADMIN_LOW
and ADMIN_HIGH
.
In the Trusted Solaris environment, the trusted role assigned to the user or users responsible for performing standard system management tasks such as setting up the non-security-relevant portions of user accounts. In contrast, see security administrator.
One of several different ways a workstation can be set up to run the Trusted Solaris software. Valid system types are: standalone system and OS server.
Any of the 24 longitudinal divisions of the earth's surface for which a standard time is kept.
The Trusted Network Remote Host DataBase, accessible either as a file in /etc/security/tsol/tnrhdb or as a NIS+ table.
The Trusted Network Remote Host TemPlate, accessible either as a file in /etc/security/tsol/tnrhtp or as a NIS+ table.
A collection of programs in the Solaris Management Console. In the Trusted Solaris environment, administrators are presented with a selection of toolboxes, one for every name service (Files, NIS+, and NIS). Each toolbox has programs usable in the scope of the toolbox. For example, the Interface Manager, which handles the machine's tnidb database, exists only in the Files toolbox, since its scope is always local. The User Accounts program exists in all toolboxes, since an administrator can choose to create a local user (Files), as well as one that can log in to any machine in the name service (NIS+ or NIS toolboxes).
tnrhtp, the Trusted Network Remote Host TemPlate and tnrhdb, the Trusted Network Remote Host DataBase together define the remote hosts that a Trusted Solaris domain can communicate with.
See administrative role.
(1) A menu-driven, interactive program that enables you to set up a system and install the Trusted Solaris software on it. (2) Any part of the software that is used to install the Trusted Solaris software on a system.
A region that cannot be spoofed along the bottom of the screen, which by default provides the following as visual feedback about the state of the window system: a trusted path indicator and window sensitivity label. When sensitivity labels are configured to not be viewable for a user, the trusted stripe is reduced to an icon that displays only the trusted path indicator.
The profiles attributes database, accessible either as files in /etc/security/prof_attr and /etc/security/exec_attr, or as NIS+ tables. After configuration, it contains execution profiles provided by the Trusted Solaris software.
The User Attributes database, accessible either as a file in /etc/security/user_attr or as a NIS+ table. After configuration, it contains roles provided by the Trusted Solaris software.
An option presented during the Solaris installation program. The upgrade procedure merges the new version of Solaris with existing files on your disk(s), and it saves as many local modifications as possible since the last time Solaris was installed. The upgrade option is not available with the Trusted Solaris 7 release.
A workstation that sends unlabeled network packets, such as one running the Solaris 8 operating environment.
The set of all possible labels at which any normal user may work on the system, as defined by each site's security administrator. The rules for well-formed labels that define the system accreditation range are additionally restricted by the values specified in the ACCREDITATION RANGE section of the site's label_encodings(4) file: the upper bound, the lower bound, the combination constraints and other restrictions.
The clearance assigned by the security administrator that sets the upper bound of the set of labels at which one particular user may work at any time. The user may decide to accept or further restrict that clearance during any particular login session, when setting the session clearance after log in.
A file system on a standalone system or server that contains many of the standard UNIX programs. Sharing a large file system with a server rather than maintaining a local copy minimizes the overall disk space required to install and run the Trusted Solaris software on a system.
A file system or directory (on standalone systems) containing system files that are likely to change or grow over the life of the system. These include system logs, vi files, mail files, and uucp files.
A program that provides a mechanism to administer and obtain access to the data on CDROMs and diskettes.
The set of all valid (well-formed) labels created according to the rules defined by each site's security administrator in the label_encodings file, plus the two administrative labels that are used in every Trusted Solaris environment, ADMIN_LOW
and ADMIN_HIGH
. Also called the system accreditation range.