Aligning Cockpit with Common Criteria
In the last few releases new features were delivered to make Cockpit meet the Common Criteria and thus making it possible to undergo the certification process in the near future. This certification is often required for large organizations, particularly in the public sector, and also gives users more confidence in using the Web Console without risking their security.
This article provides a summary of these new changes with reference to the given CC norms.
Cockpit session tracking
There is a multitude of tools to track logins. Cockpit sessions are now correctly registered in
utmp
, wtmp
and btmp
, allowing them to be displayed in tools like who
, w
, last
and lastlog
.
Cockpit also works correctly with pam_tally2
and pam_faillock
.
[root@m1 ~]# who
root pts/0 2019-12-13 08:09 (172.27.0.2)
admin web console 2019-12-13 08:09
Delivered in version 209 and 216.
AC-9 Previous Logon (Access) Notification
Support for banners on the login page
Companies or agencies may need to show warning which states that use of the computer is for lawful purposes, the user is subject to surveillance, and anyone trespassing will be prosecuted. This must be stated before login so they had fair warning. Like SSH, Cockpit can optionally show the content of a banner file on the login screen.
This needs to be configured in /etc/cockpit/cockpit.conf. For example to show content of /etc/issue.cockpit
on the login page:
[Session]
Banner=/etc/issue.cockpit
Delivered in version 209.
FTA_TAB.1 Default TOE access banners
Session timeouts
To prevent abusing forgotten Cockpit sessions, Cockpit can be set up to automatically log users out of their current session after some time of inactivity.
The timeout (in minutes) can be configured in /etc/cockpit/cockpit.conf
. For example, to log out the user after 15 minutes of inactivity:
[Session]
IdleTimeout=15
Delivered in version 209 (with default timeout of 15 minutes, but since version 218 the default timeout is disabled).
FMT_SMF_EXT.1.1 Enable/disable session timeout
Show “last login” information upon log in
Cockpit displays information about the last time the account was used and how many failed login attempts for this account have occurred since the last successful login. This is an important and required security feature so that users are aware if their account has been logged into without their knowledge or if someone is trying to guess their password.
Delivered in version 216.