GDPR and ISO 27001

josephkiwan · October 20, 2022, 2:39pm

I was wondering if Cockpit is GDPR compliant out of the box?
Also, does Cockpit pass ISO 27001?

Mark · March 15, 2023, 8:13pm

I’m bumping this question because of a project that would require the same.

@josephkiwan have you figured it out yet?

artur · March 16, 2023, 5:26pm

Cockpit doesn’t have a ISO 27001 certification, but shouldn’t be the environment/infrastructure ISO 27001 compliant not the app you’re using?

Regarding GDPR, I would say yes. Besides the usere related account information(name, email) no other private user data is stored. Cookies store only session related information. No user tracking etc is used.

Mark · March 17, 2023, 1:49pm

Thank you for your reply. You’re right about the environment/infrastructure being ISO 27001 compliant.

Also it is good that Cockpit comes with 2FA out of the box for users.

raffaelj · March 27, 2023, 6:03pm

The user IP address is logged. So there is actually some tracking.

See:

github.com

Cockpit-HQ/Cockpit/blob/develop/modules/App/Controller/Auth.php#L106


      
                  }
          
          
        // remove 2FA settings from user session
                  unset($user['twofa']);
          
          
        $this->app->trigger('app.user.disguise', [&$user]);
          
          
        $this->helper('auth')->setUser($user);
                  $this->helper('session')->write('app.session.start', time());
          
          
        $this->app->trigger('app.user.login', [$user]);
          
          
        return ['success' => true, 'user' => $user];
              }
          
          
    return ['success' => false];
          }
          
          
public function validate2FA() {
          
          
    $code = $this->param('code', null);

github.com

Cockpit-HQ/Cockpit/blob/develop/modules/System/admin.php#L56-L65


      
          $this->on('app.user.login', function($user) {
          
          
    $this->module('system')->log("User Login: {$user['user']}", type: 'info', context: [
                  '_id' => $user['_id'],
                  'user' => $user['user'],
                  'name' => $user['name'],
                  'email' => $user['email'],
                  'ip' => $this->getClientIp()
              ]);
          });

artur · March 30, 2023, 9:40am

Article 6

So in 6.1 f it says:

Processing shall be lawful only if and to the extent that at least one of the following applies:
processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Logging IP addresses for the purpose of security is a widespread practice. It is a legitimate interest to comply with standard security practices.

raffaelj · March 30, 2023, 11:50am

Sure, but it is not legitimate to store that data forever. Otherwise you just produce data lakes, that possibly become data leaks a few years later. So:

Users/admins must be aware, that Cockpit is tracking some user data.
Beside using logrotate or other tools to delete or anonymize access logs, now there is another log inside a database, mixed with error logs, that needs care.

Sidenote: I wanted to expect the log of my test installation, but it throws an error. I guess, it’s because I have some empty entries in the log table of system.sqlite for some reason:

error: "MongoLite\\Database::callCriteriaFunction(): Argument #2 ($document) must be of type array, null given, called in /var/www/html/lib/MongoLite/Database.php on line 83"

webcliq · April 1, 2023, 10:47am

All the conversation so far about the situation of Cockpit CMS and European orientated GDPR, that I have read to date, is totally inaccurate and rubbish.

The comments that I have read suggest to me, very strongly, that the authors do not understand the core concepts of GDPR and thus any research they have done and regurgitation of anything read is irrelevant and wrong.

Artur, as author of the program, has no responsibility to do anything to ensure that his software that he is making available to us, complies with any Data Protection legislation. However it makes sense for him to program the software with the right tools and in the right way to ensure his users can comply. However, how the hell he is supposed to know what is appropriate for each of Japan, Brazil, Germany and the United States, as just a few examples, I cannot start to imagine. The idea of some sort of compliance with an ISO standard is also completely pie in the sky. An ISO standard in one country might be a complete nonsense in another, that is assuming it even exists!

Compliance with any regulations and laws on Data Protection, anywhere in the world, is the responsibility of the publisher/owner of the website or internet activity. Logically the publisher (the end user) will expect their contractor to provide them with the tools and system that complies with or is capable of complying with the law, applicable in that jurisdiction.

In my opinion, all Cockpit CMS developers have a moral (if not contractual) responsibility to supply customers with software that is compliant with the laws of data protection, appropraite for their jurisdiction. If you, as a developer, have found a place in Cockpit where your need is not being met by the Cockpit software, ask Artur to make the required change to the software that will make your use of Cockpit, compliant in your jurisdiction. How he responds is his (and your) concern.

I object to the idea that somehow Artur is doing something fundamentally wrong and needs to justify himself.

So please, no more waste of Artur’s valuable time on such matters. Make recommendations by all means for things that might enhance and improve Cockpit CMS but no more queries about GDPR in the way they have been couched so far.

I want Artur to develop Cockpit CMS to become the best backend data management system that it can possibly be. It still has some way to go to achieve it but it is the best thing that exists at this time and has been so for some years. This is why I have stopped working on my Cliqon backend and now just use my framework to provide front ends. The two work fantastically together, although there is some overlap. Some day in the future, I will publish the new Cliqon with Cockpit for use by other developers, but that is another forum thread.

raffaelj · April 3, 2023, 5:42pm

I added a quick fix to opt-out of logging user logins.

config/config.php:

<?php
return [
    'log' => [
        'login' => false,
    ],
];

To re-enable custom logging, just add your own code to config/bootstrap.php:

$app->on('app.user.login', function($user) {

    $this->module('system')->log("User Login: {$user['user']}", type: 'info', context: [
        '_id' => $user['_id'],
        // 'user' => $user['user'],
        // 'name' => $user['name'],
        // 'email' => $user['email'],
        // 'ip' => $this->getClientIp()
    ]);
});

So it’s still not perfect (opt-in is preferable over opt-out), but with this quick change (develop branch or next release 2.4.2), I don’t see a problem regarding GDPR anymore.