Graylog2/graylog2-server

Allow customization of footer

Open

#2723 opened on Aug 19, 2016

View on GitHub
 (3 comments) (3 reactions) (1 assignee)Java (6,945 stars) (1,032 forks)batch import
featuregood first issuetriaged

Description

The present implementation

screenshot from 2016-08-19 21-34-06

The good

  • Administrators often glance on that information (I know I do), it's useful for them

The bad

Issue 1:

  • Most formal security policies require a legal disclaimer to be shown at login (example from STIGs), and preferably all the time. This is often solved by adding a footer - a solution that fulfills the requirement without bugging the users too much.
  • Alas, the footer in Graylog is not configured, and forcibly shows software versions instead!
  • I implemented a mod_substitute rule in the front-end web server to replace this text (rewrite part of the client on the fly), because couldn't find simpler way to change the default behaviour.

Issue 2:

  • Graylog has a refined ACL system, and is apparently meant to be used by users of different roles, and access rights. Users may vary from full fledged administrators to non-IT trained personnel that are tasked to search for pre-defined records.
  • While showing information about the system's internals is useful for Administrators, it breaks the principle of least privilege (see for example NIST SP 800-14) by telling end users information they do not require in their tasks.
  • In fact, showing the version information for internal components gives potentially malicious users information that may assist in their non-sanctioned activities. Thus, showing this information to non-administrators is generally frowned upon, and handled as (low severity) security incident in security audits.

Proposal

Add configuration options and/or change the default behaviour. For example show the current information to administrator, but show non-admin users a configurable disclaimer.

Probably also the login screen should be able to show the same disclaimer?

Contributor guide

Tech stack
java
Domain
full stack
Issue type
feature
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
3
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
1-2 days
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
stale
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
mostly clear
Prerequisites
Basic knowledge of Graylog configurationJava backend developmentFrontend web development (e.g., Angular)Understanding of security disclaimers
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
40
Research direction
Investigate the existing footer rendering in the frontend (likely in the UI module) and the configuration backend in Java (e.g., graylog2 server/src/main/java/org/graylog2/configuration/). Look for how other configuration options are implemented. Modify the frontend to conditionally display a configurable footer or default, and ensure the configuration can be set via web interface or config file. Also consider role based access to show different content for admins vs non admins. The login screen may need the same disclaimer. No linked PRs or maintainer comments are present.