A software mechanism for discretionary access control (DAC) that uses a list of permission specifications (ACL entries) to be applied to specific users and groups. The advantage of an ACL is that it allows finer-grained control than provided by the standard UNIX permissions.
The right of a user to read, write, execute, or view the name of a file or directory. See also discretionary access control (DAC) and mandatory access control (MAC).
The set of labels assigned by the security administrator to a user or role account for working in the Trusted Solaris environment. It is defined at the upper end by the user clearance and at the lower end by the user's minimum label. It is limited to well-formed labels.
A set of labels that are approved for a class of users or resources. See also system accreditation range, user accreditation range , label encodings file, and network accreditation range.
An application that can be accessed from the CDE (Common Desktop Environment) graphical user interface. An action is represented by an icon and consists of one or more commands and optional user prompts. In the Trusted Solaris environment, an action is only available to a user if the security administrator has included it in a rights profile assigned to the user's account. Similarly certain functions of the action may be available only if the security administrator has assigned the appropriate authorizations and privileges in that rights profile.
Two special labels intended for administrative files only: ADMIN_LOW and ADMIN_HIGH. ADMIN_LOW is the lowest label in the system with no compartments; it is strictly dominated by all labels in the system. Information at ADMIN_LOW can be read by all but can only be written by a user in a role working at the ADMIN_LOW label. ADMIN_HIGH is the highest label in the system with all compartments; it strictly dominates all labels in the system. Information at ADMIN_HIGH can only be read by users in roles operating at ADMIN_HIGH. These labels can be used as labels or clearances. See also dominating label.
The complete name (including the strings .MLD. or .SLD.) for a single-level directory (SLD) or multi-level directory (MLD). A single-level directory contains files at a single label and uses the name .SLD.n where .SLD. is the adornment string and n is an identifying number. A multi-level directory contains single-level directories; it uses the adornment .MLD. as a prefix to the name you specify. An example of a single-level directory within a multi-level directory would be /.MLD.myHomeDir/.SLD.0.
A device with controlled access, capable of importing or exporting data from the system. Devices are allocatable to a single user at a time. The security administrator determines which users may access which allocatable devices. Allocatable devices include tape drives, floppy drives, audio devices, and CD-ROM devices. (See device allocation.)
A privilege in the set of privileges specified by the security administrator to be potentially available for an application. If a privilege is not in an application's allowable set, it will never be available to users executing that application. Allowed privileges are assigned to the application's executable file using File Manager.
The UID representing the actual user, as opposed to a role, used to identify the user for auditing purposes. The audit ID always represents the user for auditing even when the user assumes roles or acquires effective UIDs/GIDs. See also user ID (UID).
The process of capturing user activity and other events on the system, storing this information in a set of files called an audit trail, and producing system activity reports to fulfill site security policy.
Permission granted to a user to perform an action that would be otherwise prohibited by security policy. The security administrator assigns authorizations to rights profiles which in turn are assigned to user or role accounts. Some commands and actions will not function fully unless the user has the necessary authorizations. See also privilege.
A component of a clearance or a label that indicates a hierarchical level of security, for example, TOP SECRET or UNCLASSIFIED.
A label defining the upper boundary of a label range. There are two components to a clearance: a classification and zero or more compartments. A clearance need not be a well-formed label; it defines a theoretical boundary, not necessarily an actual label. See also user clearance , session clearance, and label encodings file.
A label indicating the security level of a file or window in those Trusted Solaris environments configured to display labels. It is composed of a label shown in brackets. CMW labels appear in a stripe at the top of open windows and in a stripe under minimized windows. See also label encodings file.
The graphical environment which operates on the standard Solaris and Trusted Solaris operating environments. It includes the login manager, the session manager, the window manager, and various desktop tools.
A nonhierarchical component of a label used with the classification component to form a clearance or a label. A compartment represents a group of users with a potential need to access this information, such as an engineering department or a multidisciplinary project team.
A computing system that fulfills the government requirements for a trusted workstation stated in Security Requirements for System High and Compartmented Mode Workstations, DIA document number DDS-2600-5502-87. Specifically, it defines a trusted, X Window System-based operating environment for UNIX workstations.
A communication channel that is not normally intended for data communication and that allows a process to transfer information indirectly in a manner that violates the intent of the security policy.
Device no longer assigned (allocated) to a user. See also device allocation.
See allocatable device .
A mechanism for protecting the information on an allocatable device from access by anybody except the user who allocates the device. When the device is deallocated, device clean scripts are run to clean information from the device before the device may be accessed again by another user.
An access control mechanism that allows the owner of a file or directory to grant or deny access to other users. The owner assigns read, write, and execute permissions to the owner, the user group to which the owner belongs, and a category called other, which refers to all other unspecified users. The owner can also specify an access control list (ACL), which lets the owner assign permissions specifically to additional users and groups. Contrast with mandatory access control (MAC).
See dominating label.
In a comparison of two labels, the label whose classification component is higher than or equal to the second label's classification and whose compartment components include all of the second label's compartment components. If the components are the same, the labels are said to dominate each other and are equal. If one label dominates the other and the labels are not equal, it is said to strictly dominate the other. Two labels are disjoint if they are not equal and neither label is dominant.
A label of an object that has been changed to a value that does not dominate the previous value of the label.
A privilege available for use by a process and currently enabled.
A user ID that overrides a user's real user ID when necessary to run a particular program or an option of a program. The security administrator assigns an effective UID to a command or action in a rights profile when that command or action must be run by a specific user, most often when the command must be run as root. Effective group IDs are used in the same fashion. Note that using setuid as in conventional UNIX systems does not work due to the need for privileges.
A computer system that meets a set standard of government security requirements. See also extended configuration.
A computer system that is no longer an evaluatable configuration due to modifications that have broken security policy.
A shortcut method for specifying IP addresses in the tnrhtp(4) file. The fallback mechanism recognizes 0 as a wildcard in the rightmost bytes of the IP addresses.
A privilege in a set of privileges specified by the security administrator to be enabled unconditionally when the application is executed by any user with access to a rights profile containing that application. If the privilege is not in the application's allowed privilege set for the rights profile, it will not be available in the forced privilege set. Forced privileges are assigned to the application's executable file using File Manager.
A Trusted Solaris host having more than one network interface and used to connect two or more networks.
An integer used to identify a group of users that have common access permissions. Group ID is a security attribute in the Trusted Solaris environment. See also discretionary access control (DAC).
A computer attached to a network.
A record in the tnrhtp(4) file used to define the security attributes of a class of hosts that are permitted access to the network.
A classification of a host used in network communications and stored in the tnrhtp(4) database. The host type determines which network protocol is used to communicate with other hosts on the network. Network protocol refers to the rules for packaging communication information.
An alternate term for security administrator, no longer used in the Trusted Solaris environment.
A privilege that is granted to a process when the application is run by a user permitted to use the rights profile containing the application. An inheritable privilege can be passed on to child processes created by the application. The security administrator assigns inheritable privileges to commands or actions in an rights profile using the Rights tool. See also allowed privilege and forced privilege.
The name of a special user with root capabilities responsible for configuring the Trusted Solaris system.
Also referred to as a sensitivity label or SL, a string indicating the security level of an entity (file, directory, process, device, or network interface) used to determine whether access should be permitted in a particular transaction. There are two components to a label: a classification indicating the hierarchical level of security, and zero or more compartments for defining who has a need to access the entity given a sufficiently high classification. See also label encodings file.
A file managed by the security administrator that contains the definitions for all valid clearances and labels as well as defining the system accreditation range, user accreditation range , and labeling of hardcopy reports for the site.
Any set of labels bounded on the upper end by a clearance or maximum label, on the lower end by a minimum label, and consisting of well-formed labels. Label ranges are used to enforce mandatory access control (MAC). See also label encodings file, account label range, accreditation range, network accreditation range, session range, system accreditation range, and user accreditation range .
A security feature that displays the administrative labels or substitutes unclassified placeholders for the administrative labels. For example, if it is against security policy to expose the labels ADMIN_HIGH and ADMIN_LOW, the labels REGISTERED and PUBLIC may be substituted.
The Trusted Solaris version of CDE workspaces, which confines the activity in a workspace to a label. There are two exceptions. (1) Authorized users can move a window at a different label into the workspace using the Occupy Workspace or Occupy All Workspaces command. (2) Certain applications, such as Mailer, permit operation at multiple labels from a labeled workspace.
A system-enforced access control mechanism that uses clearances and labels to enforce security policy. MAC associates the programs a user runs with the security level (clearance or label) at which the user chooses to work in the session and permits access to information, programs, and devices at the same or lower level only. MAC also prevents users from writing to files at lower levels. MAC cannot be overridden without special authorizations or privileges. Contrast with discretionary access control (DAC).
A label assigned to a user as the lower bound of the set of labels at which that user may work. The minimum label is the user's initial label by default when the user first begins a Trusted Solaris session. The user can optionally reset the value for the initial label if desired by changing the home session.
Also, the lowest label permitted to any non-administrative user. It is assigned by the security administrator and it defines the bottom of the user accreditation range .
A special type of directory that transparently stores information by label in separate subdirectories called single-level directories. When users access multi-level directories through the command line or use File Manager, they see information at their current label only. See also single-level directory (SLD).
The set of labels within which Trusted Solaris hosts are permitted to communicate on a network.
A user who holds no special authorizations that allow exceptions from the standard security policies of the system; not an assumer of an administrative role.
A passive entity that contains or receives data, such as a data file, directory, printer, or other device, and is acted upon by subjects. In some cases, a process may be an object, such as when you send a signal to a process.
A set of codes that indicate which users are allowed to read, write, or execute the file or directory (folder). Users are classified as owner, group (the owner's group), and other (everyone else). Read permission (indicated by r) lets the user read the contents of a file or, if a directory, list the files in the folder. Write permission (w) lets the user make changes to a file or, if a folder, add or delete files. Execute permission (e) lets the user run the file if it is executable or, if a directory, read or search its files. Also referred to as UNIX permissions or permission bits.
The security principle that restricts users to only those functions necessary to perform their jobs. It is applied in Trusted Solaris systems by making privileges available to programs on an as-needed basis and enabling the privileges on an as-needed basis for specific purposes only.
A permission granted to a program by the security administrator to override some aspect of security policy. To be usable by the program, the privilege must be (1) in the allowed privilege set assigned to the program's executable file, and (2) either in the forced privilege set assigned to the executable file or in the process's inheritable privilege set. The term "effective privilege" refers to privileges that are currently enabled. See also authorization and privilege set.
The coding technique of enabling a privilege only while it is needed for a specific function. This is in keeping with the principle of least privilege.
A group of allowed privileges, forced privileges, inheritable privileges, effective privileges, or saved privileges. Privilege set is a useful term for describing how privileges are assigned and made available to programs. Allowed and forced privileges are assigned by the security administrator to executable files through File Manager. Inheritable privileges are assigned by the security administrator to commands and actions in rights profiles through the Rights tool. Effective and saved privileges are mainly of use to developers and are determined by the system.
A running program. In the Trusted Solaris environment, processes have security attributes, such as user ID (UID), group ID (GID), the user's audit ID (AUID), privileges, the process clearance, and the label of the current workspace.
A clearance equal to the session clearance that sets a boundary on the highest label at which the process can write information.
See rights profile.
A version of the Bourne shell that lets a user run a command with the privileges, label ranges, and effective UIDs/GIDs assigned to the command in the rights profile.
A file that contains read-only information, is not modifiable by normal users, and has no implications on security, such as the system clock. There is little need to perform auditing on public objects.
The ability of a subject to view an object whose label it dominates. Security policy generally allows reading down. For example, a text editor program running at Secret can read Confidential data. See also mandatory access control (MAC) and reading up.
The ability of a subject to view an object at a label that dominates the subject's label. Due to mandatory access control (MAC), reading up is generally prohibited unless the subject has the appropriate privilege. For example, a text editor program running at Confidential cannot normally read Secret data. See also reading down.
A mechanism that enables a site's security administrator to bundle authorizations, commands, CDE actions, and any inheritable privileges, label ranges, and effective UIDs/GIDs necessary for the commands and actions. A rights profile generally contains related tasks. It can be assigned to users and roles.
A special user account that gives the user assuming the role access to certain applications with the authorizations, privileges, and effective UIDs/GIDs necessary for performing the specific tasks.
In the Trusted Solaris environment, the role assigned to the user or users responsible for installing commercial software. The Trusted Solaris version of root does not have the all-powerful capabilities of root in standard UNIX systems.
(This is mainly of use to developers.) A privilege set inherited by a process when its parent process performs an execve(2). The saved privileges become invalid if the process changes its effective user ID but are re-enabled on a return to the prior user ID.
In the Trusted Solaris environment, the role assigned to the user or users responsible for defining and enforcing the site security policy. The security administrator can work at any label in the system accreditation range and potentially has access to all information at the site. The security administrator configures the security attributes for all users and equipment. See also label encodings file.
A property of an entity (file, directory, process, device, or network interface) in the Trusted Solaris environment related to security. Security attributes include identification values such as user ID (UID) and group ID (GID), different types of clearances, and all types of labels and label ranges. Note that only certain security attributes apply to a particular type of entity.
In the Trusted Solaris environment, the set of DAC, MAC, and label rules that define how information may be accessed and by whom. At a customer site, the set of rules that defines the sensitivity of the information being processed at that site and the measures that are used to protect the information from unauthorized access.
See label.
The time between logging into and out from a Trusted Solaris host. The trusted stripe appears in all Trusted Solaris sessions to confirm that users are not being spoofed by a counterfeit environment.
A clearance set at login that defines the upper boundary of labels for a Trusted Solaris session. If the user is permitted to set the session clearance, the user can specify any value within the user's account label range. If the user's account is configured for forced single-level sessions, the session clearance is set to the default value specified by the security administrator. See also clearance.
The set of labels available to a user during a Trusted Solaris session. It is bounded at the upper boundary by the user's session clearance and at the lower end by the minimum label.
A user account that has been configured for operation at a single label only.
A subdirectory within a multi-level directory (MLD) containing files and optionally subdirectories at a single label only. Single-level directory names are created by the Trusted Solaris operating system; it uses the .SLD. prefix followed by a number indicating the sequence in which they were created. When a user changes to a multi-level directory, the user actually goes to the single-level directory matching the user's current label. See also adorned name.
To counterfeit a software program in order to get access or information on a system illegally.
See dominating label.
An active entity in the Trusted Solaris environment, usually a process running on behalf of a user or role, that causes information to flow among objects or changes the system state.
The set of all valid labels for a site including the administrative labels available to the site's security administrators and system administrators. The system accreditation range is defined in the label encodings file.
In the Trusted Solaris environment, the role assigned to the user or users responsible for performing standard system management tasks such as setting up the non-security-relevant portions of user accounts. See also security administrator.
In the Trusted Solaris environment, the role assigned to the user or users responsible for backing up systems.
An application that has been granted one or more privileges.
The part of the Trusted Solaris environment that affects security; it includes software, hardware, firmware, documentation, and administrative procedures. Utility programs and application programs that can access security-related files are all part of the trusted computing base.
All activities associated with system administration in a conventional UNIX environment, plus all of the administrative activities necessary to maintain the security of a distributed system and the data it contains.
Refers to the mechanism for accessing actions and commands permitted to interact with the trusted computing base (TCB). See also Trusted Path menu, trusted path symbol, and trusted stripe.
A menu of Trusted Solaris operations that is displayed by holding down mouse button 3 over the switch area of the Front Panel. The menu selections fall into three categories: workspace-oriented selections, role assumption selections, and security-related tasks.
The symbol (the letters TP) that appears at the left of the trusted stripe area. It is displayed whenever the user accesses any portion of the trusted computing base (TCB).
A rectangular graphic in a reserved area at the bottom of the screen that appears in all Trusted Solaris sessions. Its purpose is to confirm valid Trusted Solaris sessions. Depending on a site's configuration, the trusted stripe has one or two components: (1) a mandatory trusted path symbol to indicate interaction with the trusted computing base (TCB), and (2) an optional label to indicate the label of the current window or workspace.
A label of an object that has been changed to a value that dominates the previous value of the label.
The name of a file or directory whose label has been upgraded and thus dominates the label of the directory that contains it. The security administrator can configure a system so that upgraded names are displayed or hidden from users by default.
The largest set of labels that the security administrator can potentially assign to a user at a specific site. The user accreditation range excludes the administrative labels and any label combinations available to administrators only. It is defined in the label encodings file.
A clearance assigned by the security administrator that defines the upper boundary of a user's account label range; it determines the highest label at which the user is permitted to work in a Trusted Solaris environment. See also clearance and session clearance.
An integer used to identify a user for the purposes of discretionary access control (DAC), mandatory access control (MAC), and auditing. User ID is a security attribute in the Trusted Solaris environment. See also access permissions.
A label that is permitted by all applicable rules in the label encodings file to be included in a range.
See labeled workspace.
The ability of a subject to write to an object whose label is strictly dominated by the subject's label. Due to mandatory access control (MAC), writing down is not permitted without the appropriate privilege. For example, a text editor program running at Secret cannot write Confidential data without the right privilege. Note that writing between subjects and objects at equal labels is permitted and is the norm. See also mandatory access control (MAC) and writing up.
The ability of a subject to write to an object whose label dominates (or is equal to) the subject's label. For example, a text editor program running at Confidential can write Secret data (if its session clearance is at SECRET or higher). See also mandatory access control (MAC) and writing down.