Feature #9293
closed
Provide a WebUI message prior to login
100%
Description
While trying to deploy in govt environments, they have security guidelines (STIGs) we're required to follow. Some, as trivial as they seem, include displaying banners before logging in. I've been able to modify the html\php to meet this requirement, however, as expected, the changes are lost after an update.
Would it be possible to add a text entry field on the general settings page that provides a persistent webui login banner?
Here's an example from the DoD RHEL STIGs:
You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.
Updated by Joshua Sign almost 6 years ago
Hi,
You are sure it is required for WebGUI ?
Because in the document you link it is only for "console login prompt" :
login banner must be displayed immediately prior to, or as part of, console login prompts
Updated by Ryan H almost 6 years ago
Hi Joshua,
Yes, that was just an example of a similar requirement. This requirement can be found for web servers, VTC devices, and Windows desktop login as well. The STIG states "console" but it gets interpreted as desktop, web, SSH, etc...
For example, the Windows version, the fix-action for this requirement is as such:
Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: LegalNoticeText
This causes a dialog box to appear before logging in locally through the standard GUI.
Updated by Steve Simpson over 5 years ago
I would love to see this as well. I added it manually to my system, it would be easy to add to the core product. You would need a place on the advanced configuration menu that would allow you to enter the values and the create the config file (/etc/inc/corpbanner.inc) as shown.
[2.4.4-RELEASE][root@vpn.localdomain]/etc/inc: cat corpbanner.inc <?php $corpBannerTitle="US GOVERNMENT NOTICE AND CONSENT BANNER"; $corpBannerText=<<<ENDTEXT You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. At any time, the USG may inspect and seize data stored on this IS. Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose. This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. ENDTEXT;
then just add the diff code to authgui.inc
[2.4.4-RELEASE][root@vpn.localdomain]/etc/inc: diff -u authgui.inc.banner authgui.inc
--- authgui.inc.banner 2019-05-30 18:06:17.855620000 +0000
+++ authgui.inc 2019-05-30 19:26:04.385828000 +0000
@@ -341,9 +341,30 @@
</header>
<div style="background: <?=$logincssfile?>;" class="<?=$warnclass?>">
+<?php
+ if(is_readable("/etc/inc/corpbanner.inc")) {
+ include_once("/etc/inc/corpbanner.inc");
+?>
+ <div>
+ <div class="col-sm-2"></div>
+ <div class="col-sm-8">
+ <p class="form-title"><?=$corpBannerTitle ?></p>
+ <p><?=$corpBannerText ?></p>
+ </div>
+ <div class="col-sm-2"></div>
+ </div>
+ <div class="col-sm-4"></div>
+
+ <div class="col-sm-4 offset-md-4">
+<?php
+ } else {
+?>
<div class="col-sm-4"></div>
<div class="col-sm-4 offset-md-4 logoCol">
+<?php
+ }
+?>
<div class="loginCont center-block">
<form method="post" <?=$loginautocomplete?> class="login">
<p class="form-title">Sign In</p>
Updated by
Updated by Mark Williams 9 months ago
This is getting to be more a requirement for US Government Agencies, as security adherence to NIST, DOD and DHS Security requirements.
Updated by Mike Moore 9 months ago
I agree with this. This is a blocker for me right now.
Is HTML custom code not permissible? 5years request for something fundamental seems troubling.
Updated by Christian McDonald 5 days ago
- Assignee changed from Christian McDonald to Marcos M
Updated by Marcos M 4 days ago
- Status changed from Pull Request Review to Feedback
- % Done changed from 0 to 100
Applied in changeset 06d95c3cdc8aff6bab976529ddb4934ebf2aabf0.
Updated by Mike Moore 4 days ago
Fantastic work Marcos.
Applied and works without issue. As a test i used the provided custom message in the OPs redmine above.
This looks good on my end.