Go to main content

Securing Files and Verifying File Integrity in Oracle® Solaris 11.4

Exit Print View

Updated: August 2018
 
 

Protect Data With a Label Policy

The label policy on your computer system is an information protection policy that is enforced in software. For example, an information protection policy classifies its data according to sensitivity, value to the organization, and legal requirements related to confidentiality. Once identified, files that hold sensitive, valuable, or legally required information can be appropriately labeled. Labels such as Confidential - Restricted, and Confidential - Highly Restricted can isolate and protect information in every department. You can create file systems or modify existing file systems to contain labeled data, and assign individual users the ability to access the sensitive files that they are responsible for.

Users, user processes, and other processes can access data whose label they dominate. How you label processes is part of your label policy. To create labeled processes, see Chapter 6, Labeling Processes for Data Loss Protection in Securing Users and Processes in Oracle Solaris 11.4.

Default Label Policy

This section describes the default label policy and considerations when developing a your label policy.

After you install the pkg:/system/file_labeling package, you can customize your label policy, add labels to file systems, and assign clearances to users and SMF services. Before customizing your label policy, the default clearance is the highest label, ADMIN_HIGH, so access is not restricted by label.

$ svcs labeld:clearance
STATE          STIME    FMRI
online         Sep_25   svc:/system/labeld:clearance

Displaying Label and Policy Information

To view the policy details, use the labelcfg info command. For the steps that created this sample, see the labelcfg(8) man page.

# labelcfg info
title=Sample Information Protection Policy
classification=Public
	level=1
classification=Confidential -
	level=2
compartment=Highly Restricted
	bit=0
	subcompartments="Restricted"
	minclass=Confidential -
compartment=Restricted
	bit=1
	subcompartments="Internal"
	minclass=Confidential -
compartment=Internal
	bit=2
	minclass=Confidential -
min_label=Public
clearance=ADMIN_HIGH

Note that each classification has a numeric equivalent indicated by a level number. A higher classification has a higher level number. The compartments are differentiated by bits, so bit numbers do not indicate higher or lower. Classifications plus their compartments comprise the list of valid labels. When you list the labels, they display from highest label to lowest without displaying the ADMIN_HIGH or ADMIN_LOW label.

# labelcfg list
"Confidential - Highly Restricted"
"Confidential - Restricted"
"Confidential - Internal"
Public

The value of clearance in the encodings file applies to users or roles who do not have an explicit key-value setting for the clearance security attribute. The root role and the initial account that was created during the installation of Oracle Solaris have an explicit clearance, ADMIN_HIGH.


Caution

Caution  -  Never change the explicit ADMIN_HIGH clearance of the root account.


User processes inherit the clearance of the user's primary login process. To view the clearance of your current process, type plabel in a terminal window. You have access to all labels from your clearance to ADMIN_LOW.

$ plabel
ADMIN_HIGH

Customizing a Label Policy

Your label policy protects data during use, just as encryption protects data at rest. The overall process is:

  1. Separate sensitive data.

  2. Limit access to the data to specific individuals or groups.

  3. Monitor the data during use.

  4. Archive the data such that machine operators, IT personnel, and users who can assume the root role cannot view the information in the files through normal operations.

To configure labeling, you install the labeling package, then configure the labels to satisfy the security requirements of your organization. When configuring a label policy, you supply a minimum label, a maximum label (or clearance) for users, and a hierarchy of labels. You can also define disjoint label relationships. At login, the processes of users to whom you assigned a higher clearance start at that clearance. Then, sensitive data that is labeled at a high label can be accessed only by those users whose processes are running at the higher clearance.

You can either use one of the supplied policies, which are sufficient for testing and demonstrations or create your own label policy specific to your organization's requirements regarding its sensitive information.

    When creating a label policy, cover the following issues:

  • Identify the sensitivity of the data

    For example, credit cards and health records might be considered highly sensitive information, vendor discounts might be sensitive information, vendor visits might be internal information, and marketing announcements would be public information.

  • Identify the departments of your organization that handle sensitive data

    For example, regulatory bodies require companies that handle credit cards to protect the credit card details and transaction details. Departments of the company that handle credit cards would need labeled file systems, and individual users and roles who are permitted to view the credit card details or handle disputes about credit card use would need sufficient clearance.

  • Identify users or roles in each department of your organization whom you trust to handle sensitive material

    For example, you might allow some people in receivables to view credit card information but not others. Those individuals or groups who can modify information would need clearance to do so, as would those who need to view the information.

  • Identify departments that should not see information from other departments

    For example, perhaps the executive board should not be able to see credit card information. For highly sensitive information, each department of the company would need its own compartment, for example, Confidential - Highly Restricted(Exec) and Confidential - Highly Restricted(Payments), where Payments handlers do not have access to Executive discussions and Executive users do not have access to payment details. In each group, the information being protected is of high value.

  • Identify services that should be protected by a label

    For example, you might protect applications that contain information of high value, such as internal browser interface applications or FTP services.

    See Example - Protecting the FTP Service With a Label in Securing Users and Processes in Oracle Solaris 11.4.

Oracle Solaris simplifies the creation of a label policy. As you enter your labels, the software provides the numbers that create the hierarchy of labels as well as the numbers for the compartments that separate departments of your organization. You provide the names that you want, starting at the lowest label. Public or Internal are possible lowest labels. See Configuring Labels on an Oracle Solaris System for a detailed description of the tasks involved in creating and maintaining a custom label policy.