In the last few releases new features were delivered to make Cockpit meet the Common Criteria and thus making it possible to undergo the certification process in the near future. This certification is often required for large organizations, particularly in the public sector, and also gives users more confidence in using the Web Console without risking their security.
This article provides a summary of these new changes with reference to the given CC norms.
Cockpit session tracking
There is a multitude of tools to track logins. Cockpit sessions are now correctly registered in
btmp, allowing them to be displayed in tools like
Cockpit also works correctly with
[root@m1 ~]# who root pts/0 2019-12-13 08:09 (172.27.0.2) admin web console 2019-12-13 08:09
Support for banners on the login page
Companies or agencies may need to show warning which states that use of the computer is for lawful purposes, the user is subject to surveillance, and anyone trespassing will be prosecuted. This must be stated before login so they had fair warning. Like SSH, Cockpit can optionally show the content of a banner file on the login screen.
This needs to be configured in /etc/cockpit/cockpit.conf. For example to show content of
/etc/issue.cockpit on the login page:
Delivered in version 209.
To prevent abusing forgotten Cockpit sessions, Cockpit can be set up to automatically log users out of their current session after some time of inactivity.
The timeout (in minutes) can be configured in
/etc/cockpit/cockpit.conf. For example, to log out the user after 15 minutes of inactivity:
Show “last login” information upon log in
Cockpit displays information about the last time the account was used and how many failed login attempts for this account have occurred since the last successful login. This is an important and required security feature so that users are aware if their account has been logged into without their knowledge or if someone is trying to guess their password.
Delivered in version 216.