Glossary

Glossaryaccess control list (ACL)A security feature of the Solaris OS. An ACL extends discretionary access control (DAC) to use a list of permission specifications (ACL entries) that apply to specific users and specific groups. An ACL allows finer-grained control than the control that standard UNIX permissions provides. access permissionA security feature of most computer systems. Access permission gives the user the right to read, write, execute, or view the name of a file or directory. See also discretionary access control (DAC) and mandatory access control (MAC). account label rangeThe set of labels that are assigned by the security administrator to a user or role for working on a system that is configured with Trusted Extensions. A label range is defined at the upper end by the user clearance and at the lower end by the user's minimum label. The set is limited to well-formed labels. accreditation rangeA set of labels that are approved for a class of users or resources. See also system accreditation range, user accreditation range, label encodings file, and network accreditation range. actionAn application that can be accessed from the CDE (Common Desktop Environment) graphical user interface. An action is represented by an icon. The action consists of one or more commands and optional user prompts. In Trusted Extensions, an action is only available to a user if the security administrator has included the action in a rights profile that is assigned to the user's account. Similarly, certain functions of the action might be available only if the security administrator has assigned the appropriate authorizations and privileges in that rights profile. administrative labelsTwo special labels intended for administrative files only: ADMIN_LOW and ADMIN_HIGH. ADMIN_LOW is the lowest label in the system with no compartments. This label is strictly dominated by all labels in the system. Information at ADMIN_LOW can be read by all but can only be written by a user in a role who is working at the ADMIN_LOW label. ADMIN_HIGH is the highest label in the system with all compartments. This label strictly dominates all labels in the system. Information at ADMIN_HIGH can only be read by users in roles that operate at ADMIN_HIGH. Administrative labels are used as labels or clearances for roles and systems. See also dominating label. allocatable deviceA security feature of the Solaris OS. An allocatable device can be used by one user at a time, and is capable of importing or exporting data from the system. The security administrator determines which users are authorized to access which allocatable devices. Allocatable devices include tape drives, floppy drives, audio devices, and CD-ROM devices. See also device allocation. audit ID (AUID)A security feature of the Solaris OS. An audit ID represents the login user. the AUID is unchanged after the user assumes a role, so is used to identify the user for auditing purposes. The audit ID always represents the user for auditing even when the user acquires effective UIDs/GIDs. See also user ID (UID). auditingA security feature of the Solaris OS. Auditing is a process for capturing user activity and other events on the system, then storing this information in a set of files that is called an audit trail. Auditing produces system activity reports to fulfill site security policy. authorizationA security feature of the Solaris OS. An authorization grants permission to a user to perform an action that is otherwise prohibited by security policy. The security administrator assigns authorizations to rights profiles. Rights profiles are then assigned to user or role accounts. Some commands and actions do not function fully unless the user has the necessary authorizations. See also privilege. classificationA component of a clearance or a label. A classification indicates a hierarchical level of security, for example, TOP SECRET or UNCLASSIFIED. clearanceA label that defines the upper boundary of a label range. A clearance has two components: a classification and zero or more compartments. A clearance does not need to be a well-formed label. A clearance defines a theoretical boundary, not necessarily an actual label. See also user clearance, session clearance, and label encodings file. Common Desktop Environment (CDE)A graphical desktop that includes a session manager, a window manager, and various desktop tools. Trusted Extensions adds trusted applications to the desktop, such as the label builder, Device Allocation Manager, and Selection Manager. See also Trusted GNOME. compartmentA nonhierarchical component of a label that is used with the classification component to form a clearance or a label. A compartment represents a group of users with a potential need to access this information, such as an engineering department or a multidisciplinary project team. compartmented mode workstation (CMW)A computing system that fulfills the government requirements for a trusted workstation as stated in Security Requirements for System High and Compartmented Mode Workstations, DIA document number DDS-2600-5502-87. Specifically, it defines a trusted, X Window System-based operating system for UNIX workstations. covert channelA communication channel that is not normally intended for data communication. A covert channel allows a process to transfer information indirectly in a manner that violates the intent of the security policy. deallocated deviceA security feature of the Solaris OS. A deallocated device is no longer allocated to a user for exclusive use. See also device allocation. deviceSee allocatable device. device allocationA security feature of the Solaris OS. Device allocation is a mechanism for protecting the information on an allocatable device from access by anyone except the user who allocates the device. When the device is deallocated, device clean scripts are run to clean information from the device before the device can be accessed again by another user. In Trusted Extensions, device allocation is handled by the Device Allocation Manager. Device Allocation ManagerA trusted application of Trusted Extensions. This GUI is used to configure devices, and to allocate and deallocate devices. Device configuration includes adding authorization requirements to a device. discretionary access control (DAC)An access control mechanism that allows the owner of a file or directory to grant or deny access to other users. The owner assigns read, write, and execute permissions to the owner, the user group to which the owner belongs, and a category called other, which refers to all other unspecified users. The owner can also specify an access control list (ACL). An ACL lets the owner assign permissions specifically to additional users and additional groups. Contrast with mandatory access control (MAC). disjoint labelSee dominating label. dominating labelIn a comparison of two labels, the label whose classification component is higher than or equal to the second label's classification and whose compartment components include all of the second label's compartment components. If the components are the same, the labels are said to dominate each other and are equal. If one label dominates the other and the labels are not equal, the first label is said to strictly dominate the other. Two labels are disjoint if they are not equal and neither label is dominant. downgraded labelA label of an object that has been changed to a value that does not dominate the previous value of the label. effective UIDs/GIDsA security feature of the Solaris OS. Effective IDs override a real ID when necessary to run a particular program or an option of a program. The security administrator assigns an effective UID to a command or action in a rights profile when that command or action must be run by a specific user, most often when the command must be run as root. Effective group IDs are used in the same fashion. Note that the use of the setuid command as in conventional UNIX systems might not work due to the need for privileges. evaluatable configurationA computer system that meets a set standard of government security requirements. See also extended configuration. extended configurationA computer system that is no longer an evaluatable configuration due to modifications that have broken security policy. fallback mechanismA shortcut method for specifying IP addresses in the tnrhtp database. For IPv4 addresses, the fallback mechanism recognizes 0 as a wildcard for a subnet. gatewayA host that has more than one network interface. Such a host can be used to connect two or more networks. When the gateway is a Trusted Extensions host, the gateway can restrict traffic to a particular label. group ID (GID)A security feature of the Solaris OS. A GID is an integer that identifies a group of users who have common access permissions. See also discretionary access control (DAC). hostA computer attached to a network. host templateA record in the tnrhtp database that defines the security attributes of a class of hosts that can access the Trusted Extensions network. host typeA classification of a host. The classification is used for network communications. The definitions of host types are stored in the tnrhtp database. The host type determines whether the CIPSO network protocol is used to communicate with other hosts on the network. Network protocol refers to the rules for packaging communication information. Trusted GNOMEA graphical desktop that includes a session manager, a window manager, and various desktop tools. Trusted GNOME is a fully accessible desktop. labelAlso referred to as a sensitivity label. A label indicates the security level of an entity. An entity is a file, directory, process, device, or network interface. The label of an entity is used to determine whether access should be permitted in a particular transaction. Labels have two components: a classification that indicates the hierarchical level of security, and zero or more compartments for defining who can access the entity at a given classification. See also label encodings file. label builderA trusted application of Trusted Extensions. This GUI enables users to choose a session clearance or a session label. The clearance or label must be within the account label range that the security administrator has assigned to the user. label encodings fileA file that is managed by the security administrator. The encodings file contains the definitions for all valid clearances and labels. The file also defines the system accreditation range, user accreditation range, and defines the security information on printouts at the site. label rangeAny set of labels that are bounded on the upper end by a clearance or maximum label, on the lower end by a minimum label, and that consist of well-formed labels. Label ranges are used to enforce mandatory access control (MAC). See also label encodings file, account label range, accreditation range, network accreditation range, session range, system accreditation range, and user accreditation range. label viewA security feature that displays the administrative labels or substitutes unclassified placeholders for the administrative labels. For example, if security policy forbids exposing the labels ADMIN_HIGH and ADMIN_LOW, the labels RESTRICTED and PUBLIC can be substituted. labeled workspaceA Solaris Trusted Extensions (CDE) or a Solaris Trusted Extensions (GNOME) workspace. A labeled workspace labels every activity that is launched from the workspace with the label of the workspace. When users move a window into a workspace of a different label, the moved window retains its original label. least privilegeSee principle of least privilege. mandatory access control (MAC)A system-enforced access control mechanism that uses clearances and labels to enforce security policy. A clearance or a label is a security level. MAC associates the programs that a user runs with the security level at which the user chooses to work in the session. MAC then permits access to information, programs, and devices at the same or lower level only. MAC also prevents users from writing to files at lower levels. MAC cannot be overridden without special authorizations or privileges. Contrast with discretionary access control (DAC). minimum labelA label that is assigned to a user as the lower bound of the set of labels at which that user can work. When a user first begins a Trusted Extensions session, the minimum label is the user's default label. At login, the user can choose a different label for the initial label.Also, the lowest label that is permitted to any non-administrative user. The minimum label is assigned by the security administrator and defines the bottom of the user accreditation range. network accreditation rangeThe set of labels within which Trusted Extensions hosts are permitted to communicate on a network. The set can be a list of four discrete labels. objectA passive entity that contains or receives data, such as a data file, directory, printer, or other device. An object is acted upon by subjects. In some cases, a process can be an object, such as when you send a signal to a process. operatorA role that can be assigned to the user or users who are responsible for backing up systems. ordinary userA user who holds no special authorizations that allow exceptions from the standard security policies of the system. Typically, an ordinary user cannot assume an administrative role. permissionsA set of codes that indicate which users are allowed to read, write, or execute the file or directory (folder). Users are classified as owner, group (the owner's group), and other (everyone else). Read permission (indicated by r) lets the user read the contents of a file or, if a directory, list the files in the folder. Write permission (w) lets the user make changes to a file or, if a folder, add or delete files. Execute permission (e) lets the user run the file if the file is executable. If the file is a directory, execute permission lets the user read or search the files in the directory. Also referred to as UNIX permissions or permission bits. principle of least privilegeThe security principle that restricts users to only those functions that are necessary to perform their jobs. The principle is applied in Trusted Extensions by making privileges available to programs on an as-needed basis. Privileges are available on an as-needed basis for specific purposes only. privilegeA security feature of the Solaris OS. A privilege is a permission that is granted to a program by the security administrator. A privilege can be required to override some aspect of security policy. See also authorization. privileged processA security feature of the Solaris OS. A privileged process runs with assigned has privileges. processA running program. Trusted Extensions processes have Solaris security attributes, such as user ID (UID), group ID (GID), the user's audit ID (AUID), and privileges. Trusted Extensions adds a label to every process. profileSee rights profile. profile shellA security feature of the Solaris OS. A version of the Bourne shell that enables a user to run programs with security attributes. reading downThe ability of a subject to view an object whose label the subject dominates. Security policy generally allows reading down. For example, a text editor program that runs at Secret can read Unclassified data. See also mandatory access control (MAC). rights profileA security feature of the Solaris OS. A rights profile enables a site's security administrator to bundle commands and CDE actions with security attributes. Attributes such as user authorizations and privileges enable the commands and actions to succeed. A rights profile generally contains related tasks. A profile can be assigned to users and to roles. roleA security feature of the Solaris OS. A role is a special account that gives the user who assumes the role access to certain applications with the security attributes that are necessary for performing the specific tasks. security administratorOn system that is configured with Trusted Extensions, the role that is assigned to the user or users who are responsible for defining and for enforcing security policy. The security administrator can work at any label in the system accreditation range, and potentially has access to all information at the site. The security administrator configures the security attributes for all users and equipment. See also label encodings file. security attributeA security feature of the Solaris OS. A property of an entity, such as a process, zone, user, or device, that is related to security. Security attributes include identification values such as user ID (UID) and group ID (GID). Attributes that are specific to Trusted Extensions include labels and label ranges. Note that only certain security attributes apply to a particular type of entity. security policysecurity policydefinedThe set of DAC, MAC, and label rules that define how information can be accessed and by whom. At a customer site, the set of rules that defines the sensitivity of the information that is processed at that site. Policy includes the measures that are used to protect the information from unauthorized access. Selection ManagerA trusted application of Trusted Extensions. This GUI appears when authorized users attempt to upgrade information or downgrade information. sensitivity labelSee label. sessionThe time between logging in to a Trusted Extensions host and logging out from the host. The trusted stripe appears in all Trusted Extensions sessions to confirm that users are not being spoofed by a counterfeit system. session clearanceA clearance set at login that defines the upper boundary of labels for a Trusted Extensions session. If the user is permitted to set the session clearance, the user can specify any value within the user's account label range. If the user's account is configured for forced single-level sessions, the session clearance is set to the default value specified by the security administrator. See also clearance. session rangeThe set of labels that are available to a user during a Trusted Extensions session. The session range is bounded at the upper boundary by the user's session clearance and at the lower end by the minimum label. single-label configurationA user account that has been configured for operation at a single label only. Also called a single-level configuration. spoofspoofingdefinedTo counterfeit a software program in order to illegally get access to information on a system. strict dominanceSee dominating label. subjectAn active entity, usually a process that runs on behalf of a user or role. A subject causes information to flow among objects, or changes the system state. system accreditation rangeThe set of all valid labels for a site. The set includes the administrative labels that are available to the site's security administrator and system administrator. The system accreditation range is defined in the label encodings file. system administratorA security feature of the Solaris OS. The System Administrator role can be assigned to the user or users who are responsible for performing standard system management tasks such as setting up the non-security-relevant portions of user accounts. See also security administrator. trusted applicationAn application that has been granted one or more privileges. trusted computing base (TCB)The part of a system that is configured with Trusted Extensions that affects security. The TCB includes software, hardware, firmware, documentation, and administrative procedures. Utility programs and application programs that can access security-related files are all part of the trusted computing base. trusted facilities managementAll activities associated with system administration in a conventional UNIX system, plus all of the administrative activities that are necessary to maintain the security of a distributed system and the data that the system contains. trusted pathRefers to the mechanism for accessing actions and commands that are permitted to interact with the trusted computing base (TCB). See also Trusted Path menu, trusted symbol, and trusted stripe. Trusted Path menuA menu of Trusted Extensions operations that is displayed by holding down mouse button 3 over the switch area of the Front Panel. The menu selections fall into three categories: workspace-oriented selections, role assumption selections, and security-related tasks. trusted stripeA screen-wide rectangular graphic in a reserved area of the screen. The trusted stripe appears in all Trusted Extensions sessions to confirm valid Trusted Extensions sessions. Depending on a site's configuration, the trusted stripe has one or two components: (1) a mandatory trusted symbol to indicate interaction with the trusted computing base (TCB), and (2) an optional label to indicate the label of the current window or workspace. trusted symbolThe symbol that appears at the left of the trusted stripe area. The symbol is displayed whenever the user accesses any portion of the trusted computing base (TCB). upgraded labelA label of an object that has been changed to a value that dominates the previous value of the label. user accreditation rangeThe largest set of labels that the security administrator can potentially assign to a user at a specific site. The user accreditation range excludes the administrative labels and any label combinations that are available to administrators only. The user accreditation range is defined in the label encodings file. user clearanceA clearance that is assigned by the security administrator. A user clearance defines the upper boundary of a user's account label range. The user's clearance determines the highest label at which the user is permitted to work. See also clearance and session clearance. user ID (UID)A security feature of the Solaris OS. A UID identifies a user for the purposes of discretionary access control (DAC), mandatory access control (MAC), and auditing. See also access permissions. well-formed labelA label that can be included in a range, because the label is permitted by all applicable rules in the label encodings file. workspaceSee labeled workspace.