This appendix contains the label_encodings file that was customized for SecCompany, Inc. in Chapter 6, Example of Planning an Organization's Encodings File. This appendix also contains a sample of the debugging steps that the security administrator performed to create a syntactically correct file. Sample output from the chk_encodings -a command is provided.
At SecCompany, PUBLIC is the sensitivity label for communications across the Internet. INTERNAL_USE_ONLY is the sensitivity label for communications within the company.
The ALL_DEPARTMENTS compartment word gets turned on when all defined compartment bits are on. This compartment word works as a toggle in a label builder.
* ident "@(#)label_encodings.seccompany %I% %E%" * * Copyright 2010 SecCompany, Inc. All rights reserved. * Use is subject to license terms. * * * These confidential labels are required by SecCompany's * legal and information protection departments. * Department names can be used for controlling * access to information across department boundaries. * These labels are used for mandatory access control * checks based on user clearance labels and labels and * sensitivity labels on files and directories. VERSION= SecCompany, Inc. Example Version - 2.2 10/10/20 CLASSIFICATIONS: name= PUBLIC; sname= PUB; value= 1; name= INTERNAL_USE_ONLY; sname= IUO; aname= IUO; value= 4; name= NEED_TO_KNOW; sname= NTK; aname= NTK; value= 5; name= REGISTERED; sname= REG; aname= REG; value= 6; INFORMATION LABELS: WORDS: name= ALL_DEPARTMENTS; sname= ALL; compartments= 11-20; minclass= NEED_TO_KNOW; name= EXECUTIVE_MANAGEMENT_GROUP; sname= EMGT; compartments= 11;minclass= NEED_TO_KNOW; name= SALES; sname= SALES; compartments= 12; minclass= NEED_TO_KNOW; name= FINANCE; sname= FIN; compartments= 13; minclass= NEED_TO_KNOW; name= LEGAL; sname= LEGAL; compartments= 14; minclass= NEED_TO_KNOW; name= MARKETING; sname= MKTG; compartments= 15 20; minclass= NEED_TO_KNOW; name= HUMAN_RESOURCES; sname= HR; compartments= 16; minclass= NEED_TO_KNOW; name= ENGINEERING; sname= ENG; compartments= 17 20; minclass= NEED_TO_KNOW; name= MANUFACTURING; sname= MFG; compartments= 18; minclass= NEED_TO_KNOW; name= SYSTEM_ADMINISTRATION; sname= SYSADM; compartments= 19; minclass= NEED_TO_KNOW; name= PROJECT_TEAM; sname= P_TEAM; compartments= 20; minclass= NEED_TO_KNOW; REQUIRED COMBINATIONS: COMBINATION CONSTRAINTS: SENSITIVITY LABELS: WORDS: name= ALL_DEPARTMENTS; sname= ALL; compartments= 11-20; minclass= NEED_TO_KNOW; name= EXECUTIVE_MANAGEMENT_GROUP; sname= EMGT; compartments= 11;minclass= NEED_TO_KNOW; name= SALES; sname= SALES; compartments= 12; minclass= NEED_TO_KNOW; name= FINANCE; sname= FIN; compartments= 13; minclass= NEED_TO_KNOW; name= LEGAL; sname= LEGAL; compartments= 14; minclass= NEED_TO_KNOW; name= MARKETING; sname= MKTG; compartments= 15 20; minclass= NEED_TO_KNOW; name= HUMAN_RESOURCES; sname= HR; compartments= 16; minclass= NEED_TO_KNOW; name= ENGINEERING; sname= ENG; compartments= 17 20; minclass= NEED_TO_KNOW; name= MANUFACTURING; sname= MFG; compartments= 18; minclass= NEED_TO_KNOW; name= SYSTEM_ADMINISTRATION; sname= SYSADM; compartments= 19; minclass= NEED_TO_KNOW; name= PROJECT_TEAM; sname= P_TEAM; compartments= 20; minclass= NEED_TO_KNOW; REQUIRED COMBINATIONS: COMBINATION CONSTRAINTS: CLEARANCES: WORDS: name= ALL_DEPARTMENTS; sname= ALL; compartments= 11-20; minclass= NEED_TO_KNOW; name= EXECUTIVE_MANAGEMENT_GROUP; sname= EMGT; compartments= 11;minclass= NEED_TO_KNOW; name= SALES; sname= SALES; compartments= 12; minclass= NEED_TO_KNOW; name= FINANCE; sname= FIN; compartments= 13; minclass= NEED_TO_KNOW; name= LEGAL; sname= LEGAL; compartments= 14; minclass= NEED_TO_KNOW; name= MARKETING; sname= MKTG; compartments= 15 20; minclass= NEED_TO_KNOW; name= HUMAN_RESOURCES; sname= HR; compartments= 16; minclass= NEED_TO_KNOW; name= ENGINEERING; sname= ENG; compartments= 17 20; minclass= NEED_TO_KNOW; name= MANUFACTURING; sname= MFG; compartments= 18; minclass= NEED_TO_KNOW; name= SYSTEM_ADMINISTRATION; sname= SYSADM; compartments= 19; minclass= NEED_TO_KNOW; name= PROJECT_TEAM; sname= P_TEAM; compartments= 20; minclass= NEED_TO_KNOW; REQUIRED COMBINATIONS: COMBINATION CONSTRAINTS: CHANNELS: WORDS: name= DISTRIBUTE_ONLY_TO; prefix; name= EMPLOYEES (NON-DISCLOSURE AGREEMENT REQUIRED); suffix; name= ALL_DEPARTMENTS; prefix= DISTRIBUTE_ONLY_TO; compartments= 11-20; suffix= EMPLOYEES (NON-DISCLOSURE AGREEMENT REQUIRED); name= EXECUTIVE_MANAGEMENT_GROUP; prefix= DISTRIBUTE_ONLY_TO; compartments= 11; suffix= EMPLOYEES (NON-DISCLOSURE AGREEMENT REQUIRED); name= SALES; prefix= DISTRIBUTE_ONLY_TO; compartments= 12; suffix= EMPLOYEES (NON-DISCLOSURE AGREEMENT REQUIRED); name= FINANCE; prefix= DISTRIBUTE_ONLY_TO; compartments= 13; suffix= EMPLOYEES (NON-DISCLOSURE AGREEMENT REQUIRED); name= LEGAL; prefix= DISTRIBUTE_ONLY_TO; compartments= 14; suffix= EMPLOYEES (NON-DISCLOSURE AGREEMENT REQUIRED); name= MARKETING; prefix= DISTRIBUTE_ONLY_TO; compartments= 15 20; suffix= EMPLOYEES (NON-DISCLOSURE AGREEMENT REQUIRED); name= HUMAN_RESOURCES; prefix= DISTRIBUTE_ONLY_TO; compartments= 16; suffix= EMPLOYEES (NON-DISCLOSURE AGREEMENT REQUIRED); name= ENGINEERING; prefix= DISTRIBUTE_ONLY_TO; compartments= 17 20; suffix= EMPLOYEES (NON-DISCLOSURE AGREEMENT REQUIRED); name= MANUFACTURING; prefix= DISTRIBUTE_ONLY_TO; compartments= 18; suffix= EMPLOYEES (NON-DISCLOSURE AGREEMENT REQUIRED); name= SYSTEM_ADMINISTRATION; prefix= DISTRIBUTE_ONLY_TO; compartments= 19; suffix= EMPLOYEES (NON-DISCLOSURE AGREEMENT REQUIRED); name= PROJECT_TEAM; prefix= DISTRIBUTE_ONLY_TO; compartments= 20; suffix= EMPLOYEES (NON-DISCLOSURE AGREEMENT REQUIRED); PRINTER BANNERS: WORDS: name= SECCOMPANY CONFIDENTIAL:; prefix; name= (NON-DISCLOSURE AGREEMENT REQUIRED); suffix; name= ALL_DEPARTMENTS; prefix= SECCOMPANY CONFIDENTIAL:; compartments= 11-20; suffix=(NON-DISCLOSURE AGREEMENT REQUIRED); name= EXECUTIVE_MANAGEMENT_GROUP; prefix= SECCOMPANY CONFIDENTIAL:; compartments= 11; suffix=(NON-DISCLOSURE AGREEMENT REQUIRED); name= SALES; prefix= SECCOMPANY CONFIDENTIAL:; compartments= 12; suffix=(NON-DISCLOSURE AGREEMENT REQUIRED); name= FINANCE; prefix= SECCOMPANY CONFIDENTIAL:; compartments= 13; suffix=(NON-DISCLOSURE AGREEMENT REQUIRED); name= LEGAL; prefix= SECCOMPANY CONFIDENTIAL:; compartments= 14 20; suffix=(NON-DISCLOSURE AGREEMENT REQUIRED); name= MARKETING; prefix= SECCOMPANY CONFIDENTIAL:; compartments= 15; suffix=(NON-DISCLOSURE AGREEMENT REQUIRED); name= HUMAN_RESOURCES; prefix= SECCOMPANY CONFIDENTIAL:; compartments= 16; suffix=(NON-DISCLOSURE AGREEMENT REQUIRED); name= ENGINEERING; prefix= SECCOMPANY CONFIDENTIAL:; compartments= 17 20; suffix=(NON-DISCLOSURE AGREEMENT REQUIRED); name= MANUFACTURING; prefix= SECCOMPANY CONFIDENTIAL:; compartments= 18; suffix=(NON-DISCLOSURE AGREEMENT REQUIRED); name= SYSTEM_ADMINISTRATION; prefix= SECCOMPANY CONFIDENTIAL:; compartments= 19; suffix=(NON-DISCLOSURE AGREEMENT REQUIRED); name= PROJECT_TEAM; prefix= SECCOMPANY CONFIDENTIAL:; compartments= 20; suffix=(NON-DISCLOSURE AGREEMENT REQUIRED); ACCREDITATION RANGE: classification= PUBLIC; only valid compartment combinations: PUB classification= INTERNAL_USE_ONLY; only valid compartment combinations: IUO classification= NEED_TO_KNOW; all compartment combinations valid; classification= REGISTERED; only valid compartment combinations: REG minimum clearance= PUB; minimum sensitivity label= PUB; minimum protect as classification= PUB; * * Local site definitions and locally configurable options. * LOCAL DEFINITIONS: * Classification Name= Classification; Compartments Name= Departments; Default User Sensitivity Label= PUB; Default User Clearance= PUB; COLOR NAMES: label= Admin_Low; color= #bdbdbd; label= PUBLIC; color= green; label= INTERNAL_USE_ONLY; color= yellow; label= NEED_TO_KNOW; color= blue; label= NEED_TO_KNOW EMGT; color= #7FA9EB; label= NEED_TO_KNOW SALES; color= #87CEFF; label= NEED_TO_KNOW FIN; color= #00BFFF; label= NEED_TO_KNOW LEGAL; color= #7885D0; label= NEED_TO_KNOW MKTG; color= #7A67CD; label= NEED_TO_KNOW HR; color= #7F7FFF; label= NEED_TO_KNOW ENG; color= #007FFF; label= NEED_TO_KNOW MFG; color= #0000BF; label= NEED_TO_KNOW P_TEAM; color= #9E7FFF; label= NEED_TO_KNOW SYSADM; color= #5B85D0; label= NEED_TO_KNOW ALL; color= #4D658D; label= REGISTERED; color= red; label= Admin_High; color= #636363; * * End of local site definitions *
After the chk_encodings -a command several times, the security administrator corrected the syntax of the label_encodings file. The following corrections provide a sample:
Label encodings conversion error:
In PRINTER BANNERS WORDS, word "ALL_DEPARTMENTS": SUFFIX "(NON-DISCLOSURE AGREEMENT REQUIRED)" not found.
Description: The final parenthesis after REQUIRED in the ALL_DEPARTMENTS entry was missing. The security administrator typed the parenthesis.
Label encodings conversion error at line 168:
In ACCREDITATION RANGE, classification "INTERNAL_USE_ONLY": SENSITIVITY LABEL "INTERNAL_USE_ONLY" not in canonical form. Is IUO what was intended?
Description: The security administrator replaced INTERNAL_USE_ONLY with IUO at line 168.
Label encodings conversion error at line 172:
In ACCREDITATION RANGE, classification "NEED_TO_KNOW": No sensitivity labels allowed after ALL COMPARTMENT COMBINATIONS VALID.
Description: The security administrator removed NEED_TO_KNOW at line 172.
"DEFAULT USER SENSITIVITY LABEL= PUBLIC" is not in canonical form. Is PUB what is intended?
Description: The security administrator replaced PUBLIC with PUB.
Label encodings conversion error at line 206: Invalid color label "NEED_TO_KNOW EMG".
Description: The security administrator replaced EMG with EMGT.
The following is an excerpt from the successful execution of the chk_encodings -a command.
No errors found in label_encodings.seccompany. ---> VERSION = SECCOMPANY, INC. EXAMPLE VERSION - 2.2 10/10/20 <--- ---> CLASSIFICATIONS <--- Classification 1: PUBLIC (PUB) Initial Compartment bits: NONE Initial Markings bits: NONE Classification 4: INTERNAL_USE_ONLY (IUO) / IUO Initial Compartment bits: NONE Initial Markings bits: NONE Classification 5: NEED_TO_KNOW (NTK) / NTK Initial Compartment bits: NONE Initial Markings bits: NONE Classification 6: REGISTERED (REG) / REG Initial Compartment bits: NONE Initial Markings bits: NONE ---> COMPARTMENTS AND MARKINGS USAGE ANALYSIS <--- Normal compartment bits defined: 11-20 Regular inverse compartment bits defined: NONE Compartment bits reserved as 1 but not defined: NONE Normal marking bits defined: NONE Regular inverse marking bits defined: NONE Marking bits reserved as 1 but not defined: NONE ---> INFORMATION LABEL WORDS <--- ... ---> SENSITIVITY LABEL WORDS <--- Word: ALL_DEPARTMENTS (ALL) Valid classification range: NTK -> REG Type: Normal Words hierarchically above: NONE Words hierarchically below: EXECUTIVE_MANAGEMENT_GROUP (EMGT) SALES (SALES) FINANCE (FIN) LEGAL (LEGAL) MARKETING (MKTG) HUMAN_RESOURCES (HR) ENGINEERING (ENG) MANUFACTURING (MFG) SYSTEM_ADMINISTRATION (SYSADM) PROJECT_TEAM (P_TEAM) Word: EXECUTIVE_MANAGEMENT_GROUP (EMGT) Valid classification range: NTK -> REG Type: Normal Words hierarchically above: ALL_DEPARTMENTS (ALL) Words hierarchically below: NONE Word: SALES (SALES) Valid classification range: NTK -> REG Type: Normal Words hierarchically above: ALL_DEPARTMENTS (ALL) Words hierarchically below: NONE ... Word: MARKETING (MKTG) Valid classification range: NTK -> REG Type: Normal Words hierarchically above: ALL_DEPARTMENTS (ALL) Words hierarchically below: PROJECT_TEAM (P_TEAM) ... Word: PROJECT_TEAM (P_TEAM) Valid classification range: NTK -> REG Type: Normal Words hierarchically above: ALL_DEPARTMENTS (ALL) MARKETING (MKTG) ENGINEERING (ENG) Words hierarchically below: NONE ---> CLEARANCE WORDS <--- Word: ALL_DEPARTMENTS (ALL) Valid classification range: NTK -> REG Type: Normal Words hierarchically above: NONE Words hierarchically below: EXECUTIVE_MANAGEMENT_GROUP (EMGT) SALES (SALES) FINANCE (FIN) LEGAL (LEGAL) MARKETING (MKTG) HUMAN_RESOURCES (HR) ENGINEERING (ENG) MANUFACTURING (MFG) SYSTEM_ADMINISTRATION (SYSADM) PROJECT_TEAM (P_TEAM) Word: EXECUTIVE_MANAGEMENT_GROUP (EMGT) Valid classification range: NTK -> REG Type: Normal Words hierarchically above: ALL_DEPARTMENTS (ALL) Words hierarchically below: NONE ... Word: MARKETING (MKTG) Valid classification range: NTK -> REG Type: Normal Words hierarchically above: ALL_DEPARTMENTS (ALL) Words hierarchically below: PROJECT_TEAM (P_TEAM) ... Word: PROJECT_TEAM (P_TEAM) Valid classification range: NTK -> REG Type: Normal Words hierarchically above: ALL_DEPARTMENTS (ALL) MARKETING (MKTG) ENGINEERING (ENG) Words hierarchically below: NONE ---> CHANNEL WORDS <--- Prefix Word: DISTRIBUTE_ONLY_TO Suffix Word: EMPLOYEES (NON-DISCLOSURE AGREEMENT REQUIRED) Word: DISTRIBUTE_ONLY_TO ALL_DEPARTMENTS EMPLOYEES (NON-DISCLOSURE AGREEMENT REQUIRED) Valid classification range: PUB -> REG Type: Normal Words hierarchically above: NONE Words hierarchically below: DISTRIBUTE_ONLY_TO EXECUTIVE_MANAGEMENT_GROUP EMPLOYEES (NON-DISCLOSURE AGREEMENT REQUIRED) DISTRIBUTE_ONLY_TO SALES EMPLOYEES (NON-DISCLOSURE AGREEMENT REQUIRED) DISTRIBUTE_ONLY_TO FINANCE EMPLOYEES (NON-DISCLOSURE AGREEMENT REQUIRED) DISTRIBUTE_ONLY_TO LEGAL EMPLOYEES (NON-DISCLOSURE AGREEMENT REQUIRED) DISTRIBUTE_ONLY_TO MARKETING EMPLOYEES (NON-DISCLOSURE AGREEMENT REQUIRED) DISTRIBUTE_ONLY_TO HUMAN_RESOURCES EMPLOYEES (NON-DISCLOSURE AGREEMENT REQUIRED) DISTRIBUTE_ONLY_TO ENGINEERING EMPLOYEES (NON-DISCLOSURE AGREEMENT REQUIRED) DISTRIBUTE_ONLY_TO MANUFACTURING EMPLOYEES (NON-DISCLOSURE AGREEMENT REQUIRED) DISTRIBUTE_ONLY_TO SYSTEM_ADMINISTRATION EMPLOYEES (NON-DISCLOSURE AGREEMENT REQUIRED) DISTRIBUTE_ONLY_TO PROJECT_TEAM EMPLOYEES (NON-DISCLOSURE AGREEMENT REQUIRED) Word: DISTRIBUTE_ONLY_TO EXECUTIVE_MANAGEMENT_GROUP EMPLOYEES (NON-DISCLOSURE AGREEMENT REQUIRED) Valid classification range: PUB -> REG Type: Normal Words hierarchically above: DISTRIBUTE_ONLY_TO ALL_DEPARTMENTS EMPLOYEES (NON-DISCLOSURE AGREEMENT REQUIRED) Words hierarchically below: NONE ... Word: DISTRIBUTE_ONLY_TO PROJECT_TEAM EMPLOYEES (NON-DISCLOSURE AGREEMENT REQUIRED) Valid classification range: PUB -> REG Type: Normal Words hierarchically above: DISTRIBUTE_ONLY_TO ALL_DEPARTMENTS EMPLOYEES (NON-DISCLOSURE AGREEMENT REQUIRED) DISTRIBUTE_ONLY_TO MARKETING EMPLOYEES (NON-DISCLOSURE AGREEMENT REQUIRED) DISTRIBUTE_ONLY_TO ENGINEERING EMPLOYEES (NON-DISCLOSURE AGREEMENT REQUIRED) Words hierarchically below: NONE ---> PRINTER BANNER WORDS <--- Prefix Word: SECCOMPANY CONFIDENTIAL: Suffix Word: (NON-DISCLOSURE AGREEMENT REQUIRED) Word: SECCOMPANY CONFIDENTIAL: ALL_DEPARTMENTS (NON-DISCLOSURE AGREEMENT REQUIRED) Valid classification range: PUB -> REG Type: Normal Words hierarchically above: NONE Words hierarchically below: SECCOMPANY CONFIDENTIAL: EXECUTIVE_MANAGEMENT_GROUP (NON-DISCLOSURE AGREEMENT REQUIRED) SECCOMPANY CONFIDENTIAL: SALES (NON-DISCLOSURE AGREEMENT REQUIRED) SECCOMPANY CONFIDENTIAL: FINANCE (NON-DISCLOSURE AGREEMENT REQUIRED) SECCOMPANY CONFIDENTIAL: LEGAL (NON-DISCLOSURE AGREEMENT REQUIRED) SECCOMPANY CONFIDENTIAL: MARKETING (NON-DISCLOSURE AGREEMENT REQUIRED) SECCOMPANY CONFIDENTIAL: HUMAN_RESOURCES (NON-DISCLOSURE AGREEMENT REQUIRED) SECCOMPANY CONFIDENTIAL: ENGINEERING (NON-DISCLOSURE AGREEMENT REQUIRED) SECCOMPANY CONFIDENTIAL: MANUFACTURING (NON-DISCLOSURE AGREEMENT REQUIRED) SECCOMPANY CONFIDENTIAL: SYSTEM_ADMINISTRATION (NON-DISCLOSURE AGREEMENT REQUIRED) SECCOMPANY CONFIDENTIAL: PROJECT_TEAM (NON-DISCLOSURE AGREEMENT REQUIRED) Word: SECCOMPANY CONFIDENTIAL: EXECUTIVE_MANAGEMENT_GROUP (NON-DISCLOSURE AGREEMENT REQUIRED) Valid classification range: PUB -> REG Type: Normal Words hierarchically above: SECCOMPANY CONFIDENTIAL: ALL_DEPARTMENTS (NON-DISCLOSURE AGREEMENT REQUIRED) Words hierarchically below: NONE ... Word: SECCOMPANY CONFIDENTIAL: PROJECT_TEAM (NON-DISCLOSURE AGREEMENT REQUIRED) Valid classification range: PUB -> REG Type: Normal Words hierarchically above: SECCOMPANY CONFIDENTIAL: ALL_DEPARTMENTS (NON-DISCLOSURE AGREEMENT REQUIRED) SECCOMPANY CONFIDENTIAL: LEGAL (NON-DISCLOSURE AGREEMENT REQUIRED) SECCOMPANY CONFIDENTIAL: ENGINEERING (NON-DISCLOSURE AGREEMENT REQUIRED) Words hierarchically below: NONE ---> LOCAL DEFINITIONS <--- Classification Field Name is "CLASSIFICATION" Compartments Field Name is "DEPARTMENTS" Default User Clearance = "PUB" Default User Sensitivity Label = "PUB" ---> SENSITIVITY LABEL to COLOR MAPPING <--- ADMIN_LOW = "#BDBDBD" PUB = "GREEN" IUO = "YELLOW" NTK = "BLUE" NTK EMGT = "#7FA9EB" NTK SALES = "#87CEFF" NTK FIN = "#00BFFF" NTK LEGAL = "#7885D0" NTK MKTG = "#7A67CD" NTK HR = "#7F7FFF" NTK ENG = "#007FFF" NTK MFG = "#0000BF" NTK P_TEAM = "#9E7FFF" NTK SYSADM = "#5B85D0" NTK ALL = "#4D658D" REG = "RED" ADMIN_HIGH = "#636363"