Introduction
Checks in this section are aimed at identifying
- normal use of sessions in JOC Cockpit,
- use of unchanged default values and insecure configurations.
Checks
Active Sessions
The number of active sessions is an indicator for normal use of JOC Cockpit. A higher number of sessions can indicate that accounts did not logout.
- Sessions are created after login of users.
- Access to the JOC Cockpit REST API from scripts, programs etc. similarly creates sessions.
- Sessions will be closed on logout of the related user or script. Sessions will expire when they exceed the maximum idle timeount (default: 15 minutes).
| Workflow | Severity |
|---|---|
Self-Test-Identity-Management-ActiveSessions | Warning |
The workflow makes use of the following arguments:
| Argument Name | Default | Purpose |
|---|---|---|
iam_max_active_sessions | 20 | Specifies the max. number of allowed active sessions. |
iam_max_active_sessions_by_account | 5 | Specfies the max. number of allowed active sessions per account. |
Blocked Accounts
Administrators can add accounts from any Identity Services to a blocklist. Such accounts cannot login to JOC Cockpit.
This check reports the number of blocked accounts. A higher number indicates a problem of unwanted access by users. For example, if the LDAP Identity Service is used and is offering a larger number of accounts access to JOC Cockpit, then administrators might apply the blocklist to deny access to individual accounts. In fact, the configuration of the LDAP Identity Service should be improved to specify more fine-grained access.
| Workflow | Severity |
|---|---|
Self-Test-Identity-Management-BlockedAccounts | Warning |
The workflow makes use of the following arguments:
| Argument Name | Default | Purpose |
|---|---|---|
iam_max_blocked_accounts | 5 | Specifies the max. number of accounts in the blocklist. |
Identity Services
The check reports JS7 - Identity Services that are used for login to JOC Cockipt.
- A larger number of enabled Identity Services can indicate a too complex configuration that is hard to understand. In a situation when redundancy of Identity Services is required, for example with a number of LDAP servers, then a higher number can be fine.
- A larger number of enabled Identity Services can indicate that configuration items used for testing have not been removed and should be cleaned up.
- The check will verify if the JOC-RESCUE Identity Service is active, see JS7 - Rescue in case of lost access to JOC Cockpit. The Identity Service is used to restore access to JOC Cockpit and is not intended for ongoing use.
| Workflow | Severity |
|---|---|
Self-Test-Identity-Management-IdentityServices | Warning |
The workflow makes use of the following arguments:
| Argument Name | Default | Purpose |
|---|---|---|
iam_max_active_identity_services | 5 | Checks if the number of enabled Identity Services exceeds the value. |
iam_max_inactive_identity_services | 5 | Checks if the number of disabled Identity Services exceeds the value. |
Initial Password Change
Users find the following occurrences of initial passwords used for JS7 - Identity and Access Management:
- JOC Cockpit ships with the root account enabled using the default password
root. On first login users must change the root account's password. - When creating new accounts and when resetting passwords for other accounts in the JS7 - JOC Identity Service, then administrators can apply an initial password that must be changed by the user on first login. The default value of the initial password is
initial. The value can be changed from the JS7 - Settings page. - For both situations the value of the initial password should be different from its default.
The following tests are performed:
- The check verifies if the root account's initial password was changed and will not use the initial value.
- The check verifies if the initial password used when managing other accounts was changed.
| Workflow | Severity |
|---|---|
Self-Test-Identity-Management-InitialPasswordChange | Warning |
The workflow makes use of the following arguments:
| Argument Name | Default | Purpose |
|---|---|---|
iam_joc_identity_service | JOC-INITIAL | Specifies the name of the JS7 - JOC Identity Service in which the root account is looked up for required password change. |
Initial Settings
Initial settings are relevant for security. This includes use of excluded passwords and use of too short passwords for the JS7 - JOC Identity Service:
- Excluded passwords can be specified from a comma separated list.
- The minimum password length and idle session timeout for JOC Cockpit are specified with the JS7 - Settings, section: Identity and Access Management Settings. Users can specify workflow argument to check if related settings match the requirements.
| Workflow | Severity |
|---|---|
Self-Test-Identity-Management-InitialSettings | Warning |
The workflow makes use of the following arguments:
| Argument Name | Default | Purpose |
|---|---|---|
iam_excluded_passwords | root,initial | Specifies excluded passwords that are not allowed for use with the initial password.. Passwords are separate by comma. |
iam_min_password_length | 8 | Specfies the minimum password length. The setting applies to the JOC Identity Service. |
iam_max_idle_session_timeout | 1800 | Specifies the max. allowed idle session timeout in seconds. The setting applies to all Identity Services |
Overview
Content Tools