Table of Contents
Site security policy is the security policy that an organization sets up to protect its proprietary information. With Trusted Extensions software, labels and mandatory access control (MAC) can be part of this policy. Labels implement a set of rules that is a part of system security policy. System security policy is the set of rules that is enforced by system software to protect information that is being processed on the system. The term security policy can refer to policy or to implementation of the policy.
All systems that are configured with Trusted Extensions have labels. Labels
are specified in a label_encodings
file. For a description
of the file, see the
label_encodings
(
4
)
man page. For descriptions of the encodings files
that are delivered with Solaris Trusted Extensions packages, see Sources for Encodings Files.
Trusted Extensions installs a default version of the label_encodings
file.
The default version supplies several commercial labels. This version can sometimes
be used in non-production environments for learning purposes. A site can also
customize one of the label encodings files that are delivered with the Solaris Trusted Extensions packages.
For an example of a site-specific file, see Appendix A, Sample Label Encodings File.
Every computer in the Trusted Extensions network needs its own copy of the
site's label_encodings
file. For interoperability, the label_encodings
file on every computer in the network should be
compatible. At the very least, each computer should recognize the labels on
every other computer in the network.
Certain types of labels must be defined. The security administrator
specifies the numeric values and the bits that make up the internal representation
of labels. Users and roles see the textual representation of labels. The labeling
software translates between the internal form and the textual form of labels.
The label_encodings
file provides the rules for translating
the internal representation of labels to their textual strings. The textual
strings can be visible on the desktop. The internal representation is recorded
in the audit trail and is interpreted by the praudit command.
The security administrator is the person who defines and plans the implementation of an organization's security policy. The security administrator establishes information-protection procedures, makes sure computer users and administrators are properly trained, and monitors compliance.
The Security Administrator role is created in the
software. The role is assigned to one or more administrators who fully understand Trusted Extensions administration.
These administrators are cleared to view and to protect the highest level
of information that is processed by Trusted Extensions. One of the responsibilities
of the security administrator is to create the site's label_encodings
file
to replace the version that Sun installs. The administrator can also decide
whether labels are visible on the desktop. Even when labels are not visible,
objects and processes on the system are labeled, and MAC is enforced.
Trusted Extensions provides the Security Administrator role with the tools and capabilities to put the organization's security policy into effect. To assume the role, you first log in as an ordinary user, then assume the role. At your site, the security administrator who defines the site's security policy might or might not be the same person who implements the policy.