ComplianceAsCode
Cockpit `AllowUnencrypted` == False
Which products and profiles does the rule apply to?
fedora,ol7,ol8,rhel7,rhel8,rhel9
Describe the configuration setting enforced by this rule.
Cockpit can be configured to accept just HTTP access logins. This rule would ensure that HTTPS is required.
Why is the configuration security relevant?
HTTP only login would expose a user password in plain text over the network.
How to check the configuration?
/etc/cockpit/cockpit.conf will not contain:
[WebService]
AllowUnencrypted=true
The default provided by Cockpit is AllowUncrypted=false. Thus no value is equivalent to =false
Is it order dependent? (does it need to be at certain place in the file?)
The AllowUnencrypted keyword is only valid within the [WebService] block.
What is correct and incorrect syntax?
Correct:
[WebService]
AllowUncrypted=false
Correct:
[WebService]
[Session]
Incorrect:
[WebService]
AllowUncrypted=true
How to remediate
Ensure the relevant line is removed.
Does any command need to be run?
The cockpit service will need to be restarted to see the change.
Are there going to be other rules like this one in the future? Is it worth creating template? (similar configuration format, similar remediation process...)
Yes, there are other potential security related settings for the cockpit service. The config file itself is in ini syntax which may already have a template.
Are there any caveats to be considered when testing?
No
Is the configuration loaded directly by the or is it stored in some intermediate database (similar to dconf)? (We want to edit the lowest level possible, if appropriate)
The file is used as is
Is it possible to check / remediate this configuration in offline mode? (scanning containers or offline systems)
This option can be checked in offline mode.
Please provide security policy references if possible e.g. STIG
This is probably related to any profile rules requiring encrypted logins.
