GDPR and ISO 27001

josephkiwan · October 20, 2022, 2:39pm

I was wondering if Cockpit is GDPR compliant out of the box?
Also, does Cockpit pass ISO 27001?

Mark · March 15, 2023, 8:13pm

I’m bumping this question because of a project that would require the same.

@josephkiwan have you figured it out yet?

artur · March 16, 2023, 5:26pm

Cockpit doesn’t have a ISO 27001 certification, but shouldn’t be the environment/infrastructure ISO 27001 compliant not the app you’re using?

Regarding GDPR, I would say yes. Besides the usere related account information(name, email) no other private user data is stored. Cookies store only session related information. No user tracking etc is used.

Mark · March 17, 2023, 1:49pm

Thank you for your reply. You’re right about the environment/infrastructure being ISO 27001 compliant.

Also it is good that Cockpit comes with 2FA out of the box for users.

raffaelj · March 27, 2023, 6:03pm

The user IP address is logged. So there is actually some tracking.

See:

github.com

Cockpit-HQ/Cockpit/blob/develop/modules/App/Controller/Auth.php#L106


      
                  }
          
                  // remove 2FA settings from user session
                  unset($user['twofa']);
          
                  $this->app->trigger('app.user.disguise', [&$user]);
          
                  $this->helper('auth')->setUser($user);
                  $this->helper('session')->write('app.session.start', time());
          
                  $this->app->trigger('app.user.login', [$user]);
          
                  return ['success' => true, 'user' => $user];
              }
          
              return ['success' => false];
          }
          
          public function validate2FA() {
          
              $code = $this->param('code', null);

github.com

Cockpit-HQ/Cockpit/blob/develop/modules/System/admin.php#L56-L65


      
          
              $permissions['Logs'] = [
                  'app/logs' => 'View app logs',
              ];
          
              $permissions['Spaces'] = [
                  'app/spaces' => 'Manage spaces',
              ];
          
          });

artur · March 30, 2023, 9:40am

Article 6

So in 6.1 f it says:

Processing shall be lawful only if and to the extent that at least one of the following applies:
processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Logging IP addresses for the purpose of security is a widespread practice. It is a legitimate interest to comply with standard security practices.

raffaelj · March 30, 2023, 11:50am

Sure, but it is not legitimate to store that data forever. Otherwise you just produce data lakes, that possibly become data leaks a few years later. So:

Users/admins must be aware, that Cockpit is tracking some user data.
Beside using logrotate or other tools to delete or anonymize access logs, now there is another log inside a database, mixed with error logs, that needs care.

Sidenote: I wanted to expect the log of my test installation, but it throws an error. I guess, it’s because I have some empty entries in the log table of system.sqlite for some reason:

error: "MongoLite\\Database::callCriteriaFunction(): Argument #2 ($document) must be of type array, null given, called in /var/www/html/lib/MongoLite/Database.php on line 83"

webcliq · April 1, 2023, 10:47am

All the conversation so far about the situation of Cockpit CMS and European orientated GDPR, that I have read to date, is totally inaccurate and rubbish.

The comments that I have read suggest to me, very strongly, that the authors do not understand the core concepts of GDPR and thus any research they have done and regurgitation of anything read is irrelevant and wrong.

Artur, as author of the program, has no responsibility to do anything to ensure that his software that he is making available to us, complies with any Data Protection legislation. However it makes sense for him to program the software with the right tools and in the right way to ensure his users can comply. However, how the hell he is supposed to know what is appropriate for each of Japan, Brazil, Germany and the United States, as just a few examples, I cannot start to imagine. The idea of some sort of compliance with an ISO standard is also completely pie in the sky. An ISO standard in one country might be a complete nonsense in another, that is assuming it even exists!

Compliance with any regulations and laws on Data Protection, anywhere in the world, is the responsibility of the publisher/owner of the website or internet activity. Logically the publisher (the end user) will expect their contractor to provide them with the tools and system that complies with or is capable of complying with the law, applicable in that jurisdiction.

In my opinion, all Cockpit CMS developers have a moral (if not contractual) responsibility to supply customers with software that is compliant with the laws of data protection, appropraite for their jurisdiction. If you, as a developer, have found a place in Cockpit where your need is not being met by the Cockpit software, ask Artur to make the required change to the software that will make your use of Cockpit, compliant in your jurisdiction. How he responds is his (and your) concern.

I object to the idea that somehow Artur is doing something fundamentally wrong and needs to justify himself.

So please, no more waste of Artur’s valuable time on such matters. Make recommendations by all means for things that might enhance and improve Cockpit CMS but no more queries about GDPR in the way they have been couched so far.

I want Artur to develop Cockpit CMS to become the best backend data management system that it can possibly be. It still has some way to go to achieve it but it is the best thing that exists at this time and has been so for some years. This is why I have stopped working on my Cliqon backend and now just use my framework to provide front ends. The two work fantastically together, although there is some overlap. Some day in the future, I will publish the new Cliqon with Cockpit for use by other developers, but that is another forum thread.

raffaelj · April 3, 2023, 5:42pm

I added a quick fix to opt-out of logging user logins.

config/config.php:

<?php
return [
    'log' => [
        'login' => false,
    ],
];

To re-enable custom logging, just add your own code to config/bootstrap.php:

$app->on('app.user.login', function($user) {

    $this->module('system')->log("User Login: {$user['user']}", type: 'info', context: [
        '_id' => $user['_id'],
        // 'user' => $user['user'],
        // 'name' => $user['name'],
        // 'email' => $user['email'],
        // 'ip' => $this->getClientIp()
    ]);
});

So it’s still not perfect (opt-in is preferable over opt-out), but with this quick change (develop branch or next release 2.4.2), I don’t see a problem regarding GDPR anymore.

Topic		Replies	Views
How to check if a user is logged in / authenticated or not in frontend Support	1	1630	May 12, 2022
Additional user info V1 -> V2 Cockpit v2	1	237	November 22, 2023
Power toys for user management Cockpit v2	3	430	March 27, 2023
MutliTenancy for Cockpit Feature Request	7	1428	September 6, 2020
User session management with Cockpit General	0	546	January 20, 2021

GDPR and ISO 27001

Related topics