← Rules Catalog
mediumservicesunverified

Ensure cockpit web services are not in use

cockpit-not-in-use · RHEL ≥ 8 · 1 impl

Description

The cockpit web console (cockpit.socket / cockpit.service) must not be enabled or active unless the host is explicitly managed through it.

Rationale

A network-facing management console is additional attack surface and remote entry point; it must be disabled where unused.

Check → Remediate

Checkcommand
# not in use = cockpit.socket neither active nor enabled (absent is fine)
act=$(systemctl is-active cockpit.socket 2>/dev/null)
en=$(systemctl is-enabled cockpit.socket 2>/dev/null)
if [ "$act" = "active" ] || [ "$en" = "enabled" ]; then
  echo "FAIL: cockpit.socket is in use (active=$act enabled=$en)"
  exit 1
fi
echo "OK: cockpit web services are not in use"
exit 0
expected_exit:
0
Remediatemanual
note:
systemctl stop cockpit.socket && systemctl disable cockpit.socket (or dnf remove cockpit)

Framework references

CIS

rhel8 2.1.3rhel10 2.1.3

NIST 800-53

CM-7
#cockpit#attack-surface#services#cis