Feature #9293
openProvide WebUI message (banner) prior to login
0%
Description
While trying to deploy in govt environments, they have security guidelines (STIGs) we're required to follow. Some, as trivial as they seem, include displaying banners before logging in. I've been able to modify the html\php to meet this requirement, however, as expected, the changes are lost after an update.
Would it be possible to add a text entry field on the general settings page that provides a persistent webui login banner?
Here's an example from the DoD RHEL STIGs:
You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.
Updated by Joshua Sign about 4 years ago
Hi,
You are sure it is required for WebGUI ?
Because in the document you link it is only for "console login prompt" :
login banner must be displayed immediately prior to, or as part of, console login prompts
Updated by Ryan Haraschak about 4 years ago
Hi Joshua,
Yes, that was just an example of a similar requirement. This requirement can be found for web servers, VTC devices, and Windows desktop login as well. The STIG states "console" but it gets interpreted as desktop, web, SSH, etc...
For example, the Windows version, the fix-action for this requirement is as such:
Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: LegalNoticeText
This causes a dialog box to appear before logging in locally through the standard GUI.
Updated by Steve Simpson almost 4 years ago
I would love to see this as well. I added it manually to my system, it would be easy to add to the core product. You would need a place on the advanced configuration menu that would allow you to enter the values and the create the config file (/etc/inc/corpbanner.inc) as shown.
[2.4.4-RELEASE][root@vpn.localdomain]/etc/inc: cat corpbanner.inc <?php $corpBannerTitle="US GOVERNMENT NOTICE AND CONSENT BANNER"; $corpBannerText=<<<ENDTEXT You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. At any time, the USG may inspect and seize data stored on this IS. Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose. This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. ENDTEXT;
then just add the diff code to authgui.inc
[2.4.4-RELEASE][root@vpn.localdomain]/etc/inc: diff -u authgui.inc.banner authgui.inc --- authgui.inc.banner 2019-05-30 18:06:17.855620000 +0000 +++ authgui.inc 2019-05-30 19:26:04.385828000 +0000 @@ -341,9 +341,30 @@ </header> <div style="background: <?=$logincssfile?>;" class="<?=$warnclass?>"> +<?php + if(is_readable("/etc/inc/corpbanner.inc")) { + include_once("/etc/inc/corpbanner.inc"); +?> + <div> + <div class="col-sm-2"></div> + <div class="col-sm-8"> + <p class="form-title"><?=$corpBannerTitle ?></p> + <p><?=$corpBannerText ?></p> + </div> + <div class="col-sm-2"></div> + </div> + <div class="col-sm-4"></div> + + <div class="col-sm-4 offset-md-4"> +<?php + } else { +?> <div class="col-sm-4"></div> <div class="col-sm-4 offset-md-4 logoCol"> +<?php + } +?> <div class="loginCont center-block"> <form method="post" <?=$loginautocomplete?> class="login"> <p class="form-title">Sign In</p>