Planning for Supporting Procedures
Rules for Protecting a File or Directory Labeled with the REGISTERED Sensitivity Label
The Security Administrator realizes that anyone with a clearance that includes the word REGISTERED can access any registered information anywhere in the company unless certain additional precautions are taken. Therefore, those who have REGISTERED in their clearance must be instructed to use UNIX permissions, so that only the creator can look at or modify the file. See the following example.
Example 5-1 Using DAC to Protect Registered Information
trusted% getplabel R trusted% mkdir registered.dir trusted% chmod 700 registered.dir trusted% cd registered.dir trusted% touch registered.file trusted% ls -l -rwxrwxrwx registered.file trusted% chmod 600 registered.file trusted% ls -l -rw------- registered.file |
As shown in the example, the user who creates a file or directory while working at an sensitivity label of REGISTERED needs to set the file's permissions to be read and write for the owner only and to set the directory's permissions to be readable, writable, and searchable only by the owner. This ensures that another user who can work at REGISTERED cannot read the file.
Rules for Configuring Printers
Table 5-1 shows how printers in various locations accessible to various types of people need to be configured.
Table 5-1 Printer Label Range Example Settings in Various Locations|
Printer Location |
Type of Access |
Label Range |
|---|---|---|
|
lobby or public meeting room |
Anyone |
PUBLIC to PUBLIC |
|
internal company printer room |
Available to all employees and others who have signed nondisclosure agreements |
PUBLIC to INTERNAL_USE_ONLY |
|
restricted area for one group |
Members of group specified in the NEED_TO_KNOW GROUP_NAME compartment | NEED_TO_KNOW GROUP_NAME to NEED_TO_KNOW GROUP_NAME |
|
strictly controlled area |
Available only to those who have the REGISTERED classification in their clearance |
REGISTERED to REGISTERED |
See "Managing Printing" in Trusted Solaris Administrator's Procedures.
Rules for Handling Printer Output
Those who have access to restricted printers will be instructed to:
-
Protect information according to the instructions on the printer banner and trailer pages.
-
Shred jobs that do not have both a banner and a trailer page and that do not have matching job numbers on the banner and trailer pages.
- © 2010, Oracle Corporation and/or its affiliates