Project

General

Profile

Actions
Copy link

Feature #9293

closed

Custom message text for the login screen

Added by Ryan H over 6 years ago. Updated 3 months ago.

Status:
Resolved
Priority:
Low
Assignee:
Marcos M
Category:
Web Interface
Target version:
2.8.0
Start date:
01/29/2019
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
25.03
Release Notes:
Default

Description

While trying to deploy in govt environments, they have security guidelines (STIGs) we're required to follow. Some, as trivial as they seem, include displaying banners before logging in. I've been able to modify the html\php to meet this requirement, however, as expected, the changes are lost after an update.

Would it be possible to add a text entry field on the general settings page that provides a persistent webui login banner?

Here's an example from the DoD RHEL STIGs:

You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: 
-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. 
-At any time, the USG may inspect and seize data stored on this IS. 
-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. 
-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. 
-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.
Actions
Copy link
 #1

Updated by Joshua Sign over 6 years ago

Hi,

You are sure it is required for WebGUI ?
Because in the document you link it is only for "console login prompt" :
login banner must be displayed immediately prior to, or as part of, console login prompts

Actions
Copy link
 #2

Updated by Ryan H over 6 years ago

Hi Joshua,
Yes, that was just an example of a similar requirement. This requirement can be found for web servers, VTC devices, and Windows desktop login as well. The STIG states "console" but it gets interpreted as desktop, web, SSH, etc...

For example, the Windows version, the fix-action for this requirement is as such:

Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

Value Name: LegalNoticeText

This causes a dialog box to appear before logging in locally through the standard GUI.

Actions
Copy link
 #3

Updated by Steve Simpson almost 6 years ago

I would love to see this as well. I added it manually to my system, it would be easy to add to the core product. You would need a place on the advanced configuration menu that would allow you to enter the values and the create the config file (/etc/inc/corpbanner.inc) as shown.

[2.4.4-RELEASE][root@vpn.localdomain]/etc/inc: cat corpbanner.inc 
<?php
$corpBannerTitle="US GOVERNMENT NOTICE AND CONSENT BANNER";
$corpBannerText=<<<ENDTEXT
 You are accessing a U.S. Government (USG) Information System (IS) that 
 is provided for USG-authorized use only. By using this IS (which       
 includes any device attached to this IS), you consent to the following 
 conditions:
 The USG routinely intercepts and monitors communications on this IS  
 for purposes including, but not limited to, penetration testing, COMSEC
 monitoring, network operations and defense, personnel misconduct (PM), 
 law enforcement (LE), and counterintelligence (CI) investigations. 
 At any time, the USG may inspect and seize data stored on this IS. 
 Communications using, or data stored on, this IS are not private, 
 are subject to routine monitoring, interception, and search, and may 
 be disclosed or used for any USG authorized purpose.
 This IS includes security measures (e.g., authentication and access 
 controls) to protect USG interests--not for your personal benefit or 
 privacy.
 Notwithstanding the above, using this IS does not constitute consent
 to PM, LE or CI investigative searching or monitoring of the content 
 of privileged communications, or work product, related to personal 
 representation or services by attorneys, psychotherapists, or clergy, 
 and their assistants. Such communications and work product are private 
 and confidential. See User Agreement for details. 
ENDTEXT;

then just add the diff code to authgui.inc

[2.4.4-RELEASE][root@vpn.localdomain]/etc/inc: diff -u authgui.inc.banner authgui.inc
--- authgui.inc.banner    2019-05-30 18:06:17.855620000 +0000
+++ authgui.inc    2019-05-30 19:26:04.385828000 +0000
@@ -341,9 +341,30 @@
             </header>

             <div style="background: <?=$logincssfile?>;" class="<?=$warnclass?>">
+<?php
+        if(is_readable("/etc/inc/corpbanner.inc")) {
+            include_once("/etc/inc/corpbanner.inc");
+?>
+                    <div>
+                        <div class="col-sm-2"></div> 
+                        <div class="col-sm-8">
+                                      <p class="form-title"><?=$corpBannerTitle ?></p>
+                                        <p><?=$corpBannerText ?></p>
+                        </div>
+                         <div class="col-sm-2"></div> 
+                    </div>
+                        <div class="col-sm-4"></div>
+
+                        <div class="col-sm-4 offset-md-4">
+<?php
+        } else {
+?>
                 <div class="col-sm-4"></div>

                 <div class="col-sm-4 offset-md-4 logoCol">
+<?php
+        }
+?>
                     <div class="loginCont center-block">
                         <form method="post" <?=$loginautocomplete?> class="login">
                             <p class="form-title">Sign In</p>
Actions
Copy link
 #4

Updated by Jim Pingle over 5 years ago

  • Category set to Web Interface
Actions
Copy link
 #5

Updated by Mark Williams about 1 year ago

This is getting to be more a requirement for US Government Agencies, as security adherence to NIST, DOD and DHS Security requirements.

Actions
Copy link
 #6

Updated by Christian McDonald about 1 year ago

  • Assignee set to Christian McDonald
Actions
Copy link
 #7

Updated by Mike Moore about 1 year ago

I agree with this. This is a blocker for me right now.
Is HTML custom code not permissible? 5years request for something fundamental seems troubling.

Actions
Copy link
 #8

Updated by Christian McDonald 5 months ago

  • Assignee changed from Christian McDonald to Marcos M
Actions
Copy link
 #9

Updated by Marcos M 5 months ago

  • Subject changed from Provide WebUI message (banner) prior to login to Provide a WebUI message prior to login
  • Status changed from New to Pull Request Review
  • Target version set to 2.8.0
  • Plus Target Version set to 25.03
  • Release Notes set to Default
Actions
Copy link
 #10

Updated by Marcos M 5 months ago

  • Status changed from Pull Request Review to Feedback
  • % Done changed from 0 to 100
Actions
Copy link
 #11

Updated by Mike Moore 5 months ago

Fantastic work Marcos.
Applied and works without issue. As a test i used the provided custom message in the OPs redmine above.
This looks good on my end.

Actions
Copy link
 #12

Updated by Marcos M 5 months ago

  • Status changed from Feedback to Resolved
Actions
Copy link
 #13

Updated by Jim Pingle 3 months ago

  • Subject changed from Provide a WebUI message prior to login to Custom message text for the login screen
Actions
Copy link

Also available in: Atom PDF