This chapter introduces you to the labels and other security features that Solaris Trusted Extensions software adds to the Solaris Operating System (Solaris OS).What Is Trusted Extensions Software? Trusted Extensions Protects Against Intruders Trusted Extensions Provides Discretionary and Mandatory Access Control Trusted Extensions Separates Information by Label Trusted Extensions Enables Secure Administration proceduresusers tasksusers informationdata profilesrights profiles pfsh commandprofile shell admin roleSystem Administrator role secadmin roleSecurity Administrator role oper roleOperator role sensitivity labelslabels labelsclearances policysecurity policy peripheral devicesdevices Solaris Trusted Extensions (CDE)CDE containerszones login processlogging in using a deviceallocating a device Trusted Extensionsoverview As the following logo indicates, the Trusted Extensions software package is added to the Solaris OS.

The title describes the graphic.

security policydefinedsecurity practicesdefinedTrusted Extensions provides special security features for your system. These features enable an organization to define and implement a security policy on a Solaris system. A security policy is the set of rules and practices that help protect information and other resources, such as computer hardware, at your site. Typically, security rules handle such issues as who has access to which information or who is allowed to write data to removable media. Security practices are recommended procedures for performing tasks.The following sections describe some major security features that Trusted Extensions provides. The text indicates which security features are configurable. Trusted Extensions software adds features to the Solaris OS that protect against intruders. Trusted Extensions also relies on some Solaris features, such as password protection. Trusted Extensions adds a password change GUI for roles. Auditing is enabled by default.trusted computing base (TCB)definedThe term trusted computing base (TCB) refers to the part of the Trusted Extensions software that handles events that are relevant to security. The TCB includes software, hardware, firmware, documentation, and administrative procedures. Utilities and application programs that can access security-related files are all part of the TCB. Your administrator sets limits on all potential interactions that you can have with the TCB. Such interactions include programs that you need to perform your job, files that you are allowed to access, and utilities that can affect security. If an intruder manages to successfully log in to the system, further obstacles prevent access to information. Files and other resources are protected by access control. As in the Solaris OS, access control can be set by the owner of the information. In Trusted Extensions, access is also controlled by the system. For details, see Trusted Extensions Provides Discretionary and Mandatory Access Control. devicesprotecting authorizationsfor allocating devices In Trusted Extensions, administrators control access to local peripheral devices such as tape drives, CD-ROM drives, printers, and microphones. Access can be granted on a user-by-user basis. The software restricts access to peripheral devices as follows:By default, devices must be allocated for use. You must be authorized to access devices that control removable media. Remote users cannot use local devices such as microphones or CD-ROM drives. Only local users can allocate a device. spoofingdefinedtrusted symboltamper-proof icontrusted computing base (TCB)symbol of interacting withTo “spoof” means to imitate. Intruders sometimes spoof login or other legitimate programs to intercept passwords or other sensitive data. Trusted Extensions protects you from hostile spoofing programs by displaying the following trusted symbol, a clearly recognizable, tamper-proof icon at the bottom of the screen.

Illustration shows the Trusted Symbol.

This symbol is displayed whenever you interact with the trusted computing base (TCB). The presence of the symbol ensures the safety of performing security-related transactions. No visible symbol indicates a potential security breach. The following figure shows the trusted symbol. Trusted Extensions controls which users can access which information by providing both discretionary and mandatory access control.discretionary access control (DAC)defined protecting filesDAC permissionsat discretion of file owner access control lists (ACLs) access controlpermission bits access controlaccess control lists (ACLs) access controldiscretionary access control (DAC) Discretionary access control (DAC) is a software mechanism for controlling user access to files and directories. DAC leaves setting protections for files and directories to the owner's discretion. The two forms of DAC are UNIX permission bits and access control lists (ACLs).Permission bits let the owner set read, write, and execute protection by owner, group, and other users. In traditional UNIX systems, the superuser or root user can override DAC protection. With Trusted Extensions software, the ability to override DAC is permitted for administrators and authorized users only. ACLs provide a finer granularity of access control. ACLs enable owners to specify separate permissions for specific users and specific groups. For more information, see Chapter 7, Controlling Access to Files (Tasks), in System Administration Guide: Security Services. access controlmandatory access control (MAC) mandatory access control (MAC)defined protecting filesMAC dataprotecting with MAC Mandatory access control (MAC) is a system-enforced access control mechanism that is based on label relationships. The system associates a sensitivity label with all processes that are created to execute programs. MAC policy uses this label in access control decisions. In general, processes cannot store information or communicate with other processes, unless the label of the destination is equal to the label of the process. MAC policy permits processes to read data from objects at the same label or from objects at a lower label. However, the administrator can create a labeled environment in which few lower-level objects or no lower-level objects are available.By default, MAC policy is invisible to you. Regular users cannot see objects unless they have MAC access to those objects. In all cases, users cannot take any action that is contrary to MAC policy.labelscomponents classification component of labeldefinedA label has the following two components:Classification, also referred to as a levelThis component indicates a hierarchical level of security. When applied to people, the classification represents a measure of trust. When applied to data, a classification is the degree of protection that is required.In the U.S. Government, the classifications are TOP SECRET, SECRET, CONFIDENTIAL, and UNCLASSIFIED. Industry classifications are not as standardized. Unique classifications can be established by a company. For an example, see Figure 1–3. The terms on the left are classifications. The terms on the right are compartments. compartment component of labeldefinedCompartments, also referred to as categoriesA compartment represents a grouping, such as a work group, department, project, or topic. A classification does not have to have a compartment. In Figure 1–3, the Confidential classification has three exclusive compartments. Public and Max Label have no compartments. As the figure shows, five labels are defined by this organization. types of labelslabelstypessensitivity labelslabel typeclearanceslabel typeuser clearancesdefinedlabelssample industry labelslabel rangesdescribedlabelsrangesTrusted Extensions maintains two types of labels: sensitivity labels and clearances. A user can be cleared to work at one or more sensitivity labels. A special label, known as the user clearance, determines the highest label at which a user is permitted to work. In addition, each user has a minimum sensitivity label. This label is used by default during login to a multilevel desktop session. After login, the user can choose to work at other labels within this range. A user could be assigned Public as the minimum sensitivity label and Confidential: Need to Know as the clearance. At first login, the desktop workspaces are at the label Public. During the session, the user can create workspaces at Confidential: Internal Use Only and Confidential: Need to Know.

Diagram shows typical labels and clearances as defined by industry.

subjectdefinedobjectdefinedAll subjects and objects have labels on a system that is configured with Trusted Extensions. A subject is an active entity, usually a process. The process causes information to flow among objects or changes the system state. An object is a passive entity that contains or receives data, such as a data file, directory, printer, or other device. In some cases, a process can be an object, such as when you use the kill command on a process.labelsdisplayed on desktoptrusted stripelocation in CDEvisibilitytrusted stripeLabels can be displayed in window title bars and in the trusted stripe, which is a special stripe on the screen. Labels can be hidden. Label visibility depends on how the administrator configured the system. Figure 1–4 shows a typical multilevel Trusted Extensions session on a system that is configured to display labels. The labels and trusted stripe are indicated.

Screen shows labels on windows and icons, the trusted stripe with the trusted symbol and work space label, and the Trusted Path menu.

zoneslabeled labelslabeled zones Trusted Extensions uses containers for labeling. Containers are also called zones. The global zone is an administrative zone, and is not available to users. Non-global zones are called labeled zones. Labeled zones are used by users. The global zone shares some system files with users. When these files are visible in a labeled zone, the label of these files is ADMIN_LOW.Network communication is restricted by label. By default, zones cannot communicate with each other because their labels are different. Therefore, one zone cannot write into another zone.home directoriesvisible from higher-level zonezoneshome directory visibilityvisibilityreading lower-level home directoriesaccessinglower-level home directoriesdirectoriesvisibility of home directoriesHowever, the administrator can configure specific zones to be able to read specific directories from other zones. The other zones could be on the same host, or on a remote system. For example, a user's home directory in a lower-level zone can be mounted by using the automount service. The pathname convention for such lower-level home mounts includes the zone name, as follows:/zone/name-of-lower-level-zone/home/usernameThe following terminal window illustrates lower-level home directory visibility. A user whose login label is Confidential: Internal Use Only can view the contents of the Public zone when the automount service is configured to make lower-level zones readable. The textfileInfo.txt file has two versions. The Public zone version contains information that can be shared with the public. The Confidential: Internal Use Only version contains information that can be shared within the company only.

Illustration shows that the contents of the Public zone is visible from the Internal Use Only zone.

dominance between labels labelsdominance labelsrelationships Trusted Extensions software manages all attempted security-related transactions. The software compares the subject's label with the object's label, then allows or disallows the transaction depending on which label is dominant. An entity's label is said to dominate another entity's label if the following two conditions are met:The classification component of the first entity's label is equal to the object's classification or is higher than the object's classification. All compartments in the second entity's labels are included in the first entity's label. Two labels are said to be equal if the labels have the same classification and the same set of compartments. If the labels are equal, the labels dominate each other. Therefore, access is permitted.If one of the following conditions is met, then the first label is said to strictly dominate the second label.The first label has a higher classification than a second label The first label's classification is equal to a second label's classification, the first label includes the second label's compartments, and the first label has additional compartments A label that strictly dominates a second label is permitted access to the second label.Two labels are said to be disjoint if neither label dominates the other label. Access is not permitted between disjoint labels.labelssample government labelsFor example, consider the following figure. Illustration shows a Top Secret classification with two possible compartments, A and B. Four labels can be created from these components:TOP SECRET TOP SECRET A TOP SECRET B TOP SECRET AB TOP SECRET AB dominates itself and strictly dominates the other labels. TOP SECRET A dominates itself and strictly dominates TOP SECRET. TOP SECRET B dominates itself and strictly dominates TOP SECRET. TOP SECRET A and TOP SECRET B are disjoint.read accessin labeled environmentaccessingfor read onlyIn a read transaction, the subject's label must dominate the object's label. This rule ensures that the subject's level of trust meets the requirements for access to the object. That is, the subject's label includes all compartments that are allowed access to the object. TOP SECRET A can read TOP SECRET A and TOP SECRET data. Similarly, TOP SECRET B can read TOP SECRET B and TOP SECRET data. TOP SECRET A cannot read TOP SECRET B data. Nor can TOP SECRET B read TOP SECRET A data. TOP SECRET AB can read the data at all labels.write accessin labeled environmentaccessingfor writingIn a write transaction, that is, when a subject creates or modifies an object, the resulting object's labeled zone must equal the subject's labeled zone. Write transactions are not allowed from one zone to a different zone.labelssample label relationshipsaccessingfor reading and writingIn practice, subjects and objects in read and write transactions usually have the same label and strict dominance does not have to be considered. For example, a TOP SECRET A subject can create or modify a TOP SECRET A object. In Trusted Extensions, the TOP SECRET A object is in a zone that is labeled TOP SECRET A.The following table illustrates dominance relationships among U.S. Government labels and among a set of industry labels. Label 1 Relationship Label 2 U.S. Government Labels TOP SECRET AB (strictly) dominates SECRET A TOP SECRET AB (strictly) dominates SECRET A B TOP SECRET AB (strictly) dominates TOP SECRET A TOP SECRET AB dominates (equals) TOP SECRET AB TOP SECRET AB is disjoint with TOP SECRET C TOP SECRET AB is disjoint with SECRET C TOP SECRET AB is disjoint with SECRET A B C Industry Labels Confidential: Restricted dominates Confidential: Need to Know Confidential: Restricted dominates Confidential: Internal Use Only Confidential: Restricted dominates Public Confidential: Need to Know dominates Confidential: Internal Use Only Confidential: Need to Know dominates Public Confidential: Internal dominates Public Sandbox is disjoint with All other labels labelschanging label on informationdowngrading informationupgrading informationcopy-and-pasteeffect on labelsdrag-and-dropeffect on labelsauthorizationschanging labelsWhen you transfer information between files with different labels, Trusted Extensions displays a confirmation dialog box if you are authorized to change the label of the file. If you are not authorized to do so, Trusted Extensions disallows the transaction. The security administrator can authorize you to upgrade or downgrade information. For more information, see Performing Trusted Actions. usersresponsibilitiesprotecting data responsibilitiesusers to protect data user responsibilitiesprotecting data protecting filesuser responsibilitiespermissionsuser responsibilitiesAs a user, you are responsible for setting the permissions to protect your files and directories. Actions that you can perform to set permissions use a mechanism called discretionary access control (DAC). You can check the permissions on your files and directories by using the ls -l command or by using the File Manager, as described in Chapter 3, Working in Trusted Extensions (Tasks).Mandatory access control (MAC) is enforced automatically by the system. If you are authorized to upgrade or downgrade labeled information, you have a critical responsibility to ensure that the need for changing the level of information is legitimate.email instructionsuser responsibilitiesAnother aspect of protecting data involves email. Never follow instructions that you receive in email from an administrator. For example, if you followed emailed instructions to change your password to a particular value, you would enable the sender to log in to your account. In limited cases, you might verify the instructions independently before following the instructions. labelsmeans of protecting data protecting filesby label Trusted Extensions separates information at different labels by the following means:Users can select single-level or multilevel sessions. The desktops provide workspaces that are labeled. Files are stored in separate zones according to label. MAC is enforced for all transactions, including email. Data on objects is erased prior to object reuse. clearancessetting at login labelssetting clearance at login sessionssingle-level or multilevel single-level sessionsdefined multilevel sessionsdefined session clearancesdefined sessionschoosing clearance When you first log in to a Trusted Extensions session, you specify whether to operate at a single label or at multiple labels. You then set your session clearance or session label. This setting is the security level at which you intend to operate.In a single-label session, you can access only those objects that are equal to your session label or are dominated by the label.In a multilevel session, you can access information at labels that are equal to or lower than your session clearance. You can specify different labels for different workspaces. You can also have different workspaces at the same label. sessionseffect of selecting level Table 1–2 provides an example that shows the difference between a single-level and a multilevel session. This example contrasts a user who chooses to operate in a single-level session at CONFIDENTIAL: NEED TO KNOW (CNF: NTK) with a user who chooses a multilevel session, also at CNF: NTK.The three columns on the left show each user's session selections at login. Note that users set session labels for single-level sessions and session clearances for multilevel sessions. The system displays the correct label builder according to your selection. To view a label builder for a multilevel session, see Figure 2–2.The two columns on the right show the label values that are available in the session. The Initial Workspace label column represents the label when the user first accesses the system. The Available Labels column lists the labels that the user is permitted to switch to during the session.User Selections Session Label Values Session Type Session Label Session Clearance Initial Workspace Label Available Labels single-level CNF: NTK - CNF: NTK CNF: NTK multilevel - CNF: NTK Public PublicCNF: Internal Use OnlyCNF: NTK As the first row of the table shows, the user has selected a single-level session with a session label of CNF: NTK. The user has an initial workspace label of CNF: NTK, which is also the only label at which the user can operate.As the second row of the table shows, the user has selected a multilevel session with a session clearance of CNF: NTK. The user's initial workspace label is set to Public, because Public is the lowest possible label in the user's account label range. The user can switch to any label between Public and CNF: NTK. Public is the minimum label, and CNF: NTK is the session clearance. workspaceslabeled workspace switch areaillustrationIn Solaris Trusted Extensions (CDE), or Trusted CDE, the workspaces in Trusted Extensions are accessed through buttons in the center of the Front Panel, as in the Solaris OS. However, with Trusted Extensions, you can devote a workspace entirely to a single label. This setup is very convenient when you are in a multilevel session, and you do not want to confuse information at different labels. The following illustration shows the workspace switch area with four switches. Each switch opens a workspace at a different label. You can also assign several workspaces to the same label.

The illustration shows the Workspace Switch area on the Front Panel with four labeled switches.

In Solaris Trusted Extensions (GNOME), or Trusted GNOME, the workspaces are accessed through buttons at the right of the bottom panel. As in Trusted CDE, you can assign a workspace to a single label. You can also assign the same label to several workspaces. mandatory access control (MAC)enforced for email emaillabel enforcement Trusted Extensions enforces MAC for email. You can send and read email at your current label. You can receive email at a label within your account range. In a multilevel session, you can switch to a workspace at a different label to read email at that label. You use the same mail reader and the same login. The system permits you to read mail at your current label only. usersresponsibilitiesclearing devices responsibilitiesusers to clear media objectreuse devicesclearing prior to reuse Trusted Extensions prevents inadvertent exposure of sensitive information by automatically erasing old information from user-accessible objects prior to reuse. For example, memory and disk space are cleared before being used again. Failure to erase sensitive data prior to reuse of the object risks the exposure of data to inappropriate users. Through device deallocation, Trusted Extensions clears all user-accessible objects prior to allocating the drives to processes. Note, however, that you must clear all removable storage media, such as DVDs and JAZ drives, before allowing another user access to the drive. rolesspecial user account system administrationon Trusted Extensions In contrast to traditional UNIX systems, superuser (the root user) is not used to administer Trusted Extensions. Rather, administrative roles with discrete capabilities administer the system. In this way, no single user can compromise a system's security. A role is a special user account that provides access to certain applications with the rights that are necessary for performing the specific tasks. Rights include authorizations, privileges, and effective UIDs/GIDs.The following security practices are enforced on a system that is configured with Trusted Extensions:You are granted access to applications and authorizations on a need-to-use basis. You can perform functions that override security policy only if you are granted special authorizations or special privileges by administrators. System administration duties are divided among multiple roles. trusted applicationsby using rights profiles rights profilesdefined In Trusted Extensions, you can access only those programs that you need to do your job. As in the Solaris OS, an administrator provides access by assigning one or more rights profiles to your account. A rights profile is a special package of programs and security attributes. These security attributes enable successful use of the program that is in the rights profile.The Solaris OS provides security attributes such as privileges and authorizations. Trusted Extensions provides labels. Any of these attributes, if missing, can prevent use of the program or parts of the program. For example, a rights profile might include an authorization that enables you to read a database. A rights profile with particular security attributes might be required for you to modify the database or read information that is classified as Confidential.The use of rights profiles that contain programs with associated security attributes helps prevent users from misusing programs and from damaging data on the system. If you need to perform tasks that override the security policy, the administrator can assign to you a rights profile that contains the necessary security attributes. If you are prevented from running a certain task, check with your administrator. You might be missing required security attributes.profile shelldefinedIn addition, the administrator might assign you a profile shell as your login shell. A profile shell is a special version of the Bourne shell that provides access to a particular set of applications and capabilities. Profile shells are a feature of the Solaris OS. For details, see the pfsh1 man page.Not in Profile error messageNot Found error messagetroubleshootingcommand line error messagesIf you try to run a program and receive a Not Found error message or if you try to run a command and receive a Not in Profile error message, you might not be permitted to use this program. Check with your security administrator. responsibilitiesof administrators rolesresponsibilities of rolescommon roles Security Administrator roleresponsibilities System Administrator roleresponsibilities Operator roleresponsibilities root roleresponsibilities Trusted Extensions software uses roles for administration. Make sure that you know who is performing which set of duties at your site. The following are common roles:root role – Is used primarily to prevent direct login by superuser. Primary Administrator role – Performs any tasks that require privileges beyond the capabilities of other roles. Security Administrator role – Performs security-relevant tasks, such as setting passwords, authorizing device allocation, assigning rights profiles, and evaluating software programs. System Administrator role – Performs standard system management tasks, such as setting up home directories, restoring backups, and installing software programs. Operator role – Performs system backups, manages printers, and mounts removable media.