Bug 1751336
Summary: | Classification banners into Gnome login and desktop | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 8 | Reporter: | Ash Westbrook <awestbro> | ||||
Component: | gnome-shell-extensions | Assignee: | Florian Müllner <fmuellner> | ||||
Status: | CLOSED ERRATA | QA Contact: | Michael Boisvert <mboisver> | ||||
Severity: | medium | Docs Contact: | Marek Suchánek <msuchane> | ||||
Priority: | medium | ||||||
Version: | 8.4 | CC: | aday, amike, cschrock, csoriano, debarshir, dking, fmuellner, gfialova, jadahl, jkoten, jon.wesel, kenyon, linux.duzt, mcatanza, mclasen, msuchane, otaylor, rstrode, sbarcomb, spam544, tpelka, tpopela | ||||
Target Milestone: | rc | Keywords: | Reopened, RFE, Triaged | ||||
Target Release: | 8.0 | ||||||
Hardware: | All | ||||||
OS: | All | ||||||
Whiteboard: | |||||||
Fixed In Version: | gnome-shell-extensions-3.32.1-27.el8 | Doc Type: | Enhancement | ||||
Doc Text: |
.Security classification banners at login and in the desktop session
You can now configure classification banners to state the overall security classification level of the system. This is useful for deployments where the user must be aware of the security classification level of the system that they are logged into.
The classification banners can appear in the following contexts, depending on your configuration:
* Within the running session
* On the lock screen
* On the login screen
The classification banners can take the form of either a notification that you can dismiss, or a permanent banner.
For more information, see link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_the_desktop_environment_in_rhel_8/assembly_displaying-the-system-security-classification_using-the-desktop-environment-in-rhel-8[Displaying the system security classification].
|
Story Points: | --- | ||||
Clone Of: | |||||||
: | 2031186 (view as bug list) | Environment: | |||||
Last Closed: | 2022-05-10 13:42:04 UTC | Type: | Epic | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 2031186 | ||||||
Attachments: |
|
Description
Ash Westbrook
2019-09-11 18:19:03 UTC
*** Bug 1751337 has been marked as a duplicate of this bug. *** Patternfly4 is going to implement something similar called "banner" which should be called the same thing in Gnome. This way we broaden its usage beyond just government to healthcare, telco, etc. After evaluating this issue, there are no plans to address it further or fix it in an upcoming release. Therefore, it is being closed. If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened. Created attachment 1782853 [details]
Requested screenshot of banner
This is a screenshot of the basic idea of what we're looking for, with the option to have the hostname/classification/username across the top of the screen (with a banner across the bottom of the screen as well). Thanks.
Hey Chad, Thank you for the upload. Are there any formal government processes that you need to adhere to? I am trying to track down anything official for color coding these messages. So far I have found this site **Warning, not a Red Hat website** https://www.stigviewer.com/stig/keyboard_video_and_mouse_switch/2015-06-30/finding/V-6680: "Modify the screen backgrounds for each information system attached to the KVM switch to comply with information below. These banners will state the overall classification level of the information system in large bold type. These banners will have a solid background color assigned using the following scheme: Yellow for Sensitive Compartmented Information (SCI). Orange for Top Secret (TS). Red for Secret. Blue for Confidential. Green for Unclassified." But this is nothing official AFAICT. -Steve The official colors can be found here: https://github.com/SecurityCentral/classification-banner/#examples Hi Steve, The closest that I've been able to find to an official color scheme is what the US GPO uses for the classification stickers we also use. This link is to a contract that they released a few years ago to have the stickers printed. In section two, they specify the Pantone color values: https://www.gpo.gov/docs/default-source/contract-pricing/contract-pricing/dallas/ab1724s.pdf (PMS 356C for Unclassified; PMS 186C for Secret, etc.) In my decades of doing this, we've always tried to match the GPO stickers. The summary that Kenyon points to on GitHub comes from the contract listed above. There is also http://everyspec.com/MIL-STD/MIL-STD-1400-1499/download.php?spec=MIL-STD-1472H.057041.pdf which defines "green=unclassified", "red=secret", "orange=top secret", etc. (page 390 of the pdf) For the banner text and how systems should be marked, that comes directly from DoD policy: https://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodm/520001m_vol2.pdf (page 20) Hey Chad/Kenyon, Thank you both for the links provided. I think we have a good list of what is needed here. I will reach out to you if there is anything else we need. For those trying to get https://github.com/fcaviggia/classification-banner to work with RHEL8.4, we discovered that by using Python 2.7 and Version 1.7.0 of classification-banner from 2018, the banner works as expected with no workarounds. Initial upstream work for this: https://gitlab.gnome.org/GNOME/gnome-shell-extensions/-/merge_requests/193 (In reply to August from comment #28) > For those trying to get https://github.com/fcaviggia/classification-banner > to work with RHEL8.4, we discovered that by using Python 2.7 and Version > 1.7.0 of classification-banner from 2018, the banner works as expected with > no workarounds. Can you please provide more information? What steps were used to install and run? I was not able to get this working on RHEL 8.4, using python 2.7.18 and version 1.7.0 of classification-banner. I installed from source with "python setup.py install" which installed it in /usr/bin/classification-banner. I created /etc/classification-banner with the text and color codes. But when I run classification-banner, it does not work. No banner is shown. https://gitlab.gnome.org/GNOME/gnome-shell-extensions/-/merge_requests/193 is actually more for bug 1651378 than this bug, although there is certainly some overlap. (In reply to jon.wesel from comment #39) > (In reply to August from comment #28) > > For those trying to get https://github.com/fcaviggia/classification-banner > > to work with RHEL8.4, we discovered that by using Python 2.7 and Version > > 1.7.0 of classification-banner from 2018, the banner works as expected with > > no workarounds. > > Can you please provide more information? What steps were used to install and > run? I was not able to get this working on RHEL 8.4, using python 2.7.18 and > version 1.7.0 of classification-banner. > I installed from source with "python setup.py install" which installed it in > /usr/bin/classification-banner. I created /etc/classification-banner with > the text and color codes. But when I run classification-banner, it does not > work. No banner is shown. To get classification-banner to work with rhel 8.4 you need the following packages installed: python2 pygtk2 libcanberra-gtk2 After those are installed you can run "python2 setup.py install" and execute "classification-banner" to load the banner. The banner is a little buggy if you are trying to use multiple monitors and the escape to hide function (banner randomly moves to the middle of the screen). (In reply to linux.duzt from comment #41) > To get classification-banner to work with rhel 8.4 you need the following > packages installed: > python2 > pygtk2 > libcanberra-gtk2 > > After those are installed you can run "python2 setup.py install" and execute > "classification-banner" to load the banner. The banner is a little buggy if > you are trying to use multiple monitors and the escape to hide function > (banner randomly moves to the middle of the screen). Thank you! This worked. I was missing pygtk2. The classification banner works as expected withing a session and on the lock screen using: gnome-shell-extensions-3.32.1-27.el8. We will need to come up with some instructions to enable the extension for the GDM user in order to get it working on the login screen. fmuellner: afaics, that's only possible via a dconf override for the 'enabled-extensions' key in /org/gnome/shell. Using gnome-shell-extensions-3.32.1-27.el8, you can easily program a classification banner within the running session, lock screen and the login screen. To create a banner in the session and lock screen simply install the extension then customize the extension using one of the many ways, it works perfectly running gnome-shell-extension-prefs. To create a red banner with white text on the login screen do the following (obviously this can be tailored by the user): 1. Install gnome-shell-extension-classification-banner-3.32.1-27.el8 and at least gnome-shell-3.32.2-39.el8 2. Create file called /etc/dconf/db/gdm.d/99-class-banner [org/gnome/shell] enabled-extensions=['classification-banner.github.com'] [org/gnome/shell/extensions/classification-banner] background-color='rgba(200,16,46,0.75)' message='TOP SECRET' top-banner=true bottom-banner=true system-info=true color='rgb(255,255,255)' 3. dconf update as root 4. reboot Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (gnome-shell-extensions bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:1807 |