Allow customization of footer

[mikkolehtisalo]

The present implementation

The good

• Administrators often glance on that information (I know I do), it's useful for them

  The bad

Issue 1:

• Most formal security policies require a legal disclaimer to be shown at login (example from STIGs), and preferably all the time. This is often solved by adding a footer - a solution that fulfills the requirement without bugging the users too much.
• Alas, the footer in Graylog is not configured, and forcibly shows software versions instead!
• I implemented a mod_substitute rule in the front-end web server to replace this text (rewrite part of the client on the fly), because couldn't find simpler way to change the default behaviour.

Issue 2:

• Graylog has a refined ACL system, and is apparently meant to be used by users of different roles, and access rights. Users may vary from full fledged administrators to non-IT trained personnel that are tasked to search for pre-defined records.
• While showing information about the system's internals is useful for Administrators, it breaks the principle of least privilege (see for example NIST SP 800-14) by telling end users information they do not require in their tasks.
• In fact, showing the version information for internal components gives potentially malicious users information that may assist in their non-sanctioned activities. Thus, showing this information to non-administrators is generally frowned upon, and handled as (low severity) security incident in security audits.

  Proposal

Add configuration options and/or change the default behaviour. For example show the current information to administrator, but show non-admin users a configurable disclaimer.

Probably also the login screen should be able to show the same disclaimer?

[mibesr]

+1

[pimpampeter]

This is likely a requirement for a lot of organisations, any idea when/if this choice in footer text will be implemented ? @mikkolehtisalo : you would make me happy if you could you share how you implemented the mod_substitute rule .

[mikkolehtisalo]

Yes, showing a legal disclaimer is a typical mandatory thing for all systems for many organisations.

@pimpampeter I went for a popup because it has to be acknowledged. However the same trick can be used to just add text to the footer.

Popup javascript file on web server (/var/www/html/eula-popup.js, will be found at http://server/eula-popup.js):

if (!localStorage.getItem("runEulaOnce")) {
 // Could probably also refer to the same Javascript libraries the UI is using to get a nicer popup
 alert("Big scary EULA");
 localStorage.setItem("runEulaOnce", true);
}

Then in the Apache httpd's configuration:

# This causes the /eula-popup.js to be served from local files instead of proxying to backend service
RewriteRule ^/eula-popup.js$ /eula-popup.js [L]
# These require at least mod_filter
FilterDeclare replace
FilterProvider replace SUBSTITUTE "{Content_Type} = 'text/html'"
FilterChain +replace
# Find the last tag from the page, inject our javacsript file right before that
# If you wanted to add the footer text, you'd have to find a good tag from the source to attach your stuff into
# Relying to javascript is probably more reliable in any case, because changes in the UI doesn't break it so easily
Substitute "s|</body>|<script src=\"/eula-popup.js\"></script><\body>|ni"

Nginx probably has something similar. This all depends on how you set up your web server. Please never ever run any service without having a full blown web server at front....