GDPR and ISO 27001

josephkiwan · October 20, 2022, 2:39pm

I was wondering if Cockpit is GDPR compliant out of the box?
Also, does Cockpit pass ISO 27001?

Mark · March 15, 2023, 8:13pm

I’m bumping this question because of a project that would require the same.

@josephkiwan have you figured it out yet?

artur · March 16, 2023, 5:26pm

Cockpit doesn’t have a ISO 27001 certification, but shouldn’t be the environment/infrastructure ISO 27001 compliant not the app you’re using?

Regarding GDPR, I would say yes. Besides the usere related account information(name, email) no other private user data is stored. Cookies store only session related information. No user tracking etc is used.

Mark · March 17, 2023, 1:49pm

Thank you for your reply. You’re right about the environment/infrastructure being ISO 27001 compliant.

Also it is good that Cockpit comes with 2FA out of the box for users.

raffaelj · March 27, 2023, 6:03pm

The user IP address is logged. So there is actually some tracking.

See:

github.com

Cockpit-HQ/Cockpit/blob/develop/modules/App/Controller/Auth.php#L106


      
                  }
          
          
        // remove 2FA settings from user session
                  unset($user['twofa']);
          
          
        $this->app->trigger('app.user.disguise', [&$user]);
          
          
        $this->helper('auth')->setUser($user);
                  $this->helper('session')->write('app.session.start', time());
          
          
        $this->app->trigger('app.user.login', [$user]);
          
          
        return ['success' => true, 'user' => $user];
              }
          
          
    return ['success' => false];
          }
          
          
public function validate2FA() {
          
          
    $code = $this->param('code', null);

github.com

Cockpit-HQ/Cockpit/blob/develop/modules/System/admin.php#L56-L65


      
          $this->on('app.user.login', function($user) {
          
          
    $this->module('system')->log("User Login: {$user['user']}", type: 'info', context: [
                  '_id' => $user['_id'],
                  'user' => $user['user'],
                  'name' => $user['name'],
                  'email' => $user['email'],
                  'ip' => $this->getClientIp()
              ]);
          });