7 Sep
2019
7 Sep
'19
6:12 p.m.
On 2019-09-07 09:48+0100, Alastair Sherringham wrote:
I've always avoided Webmin, having briefly looked
at it a long time
ago, but Redhat's "Cockpit" [1] seems more interesting nowadays. Has
anyone looked at it? I suspect it is more closely linked to a
Redhat/Fedora style server (than Debian, which I use) but I trust the
Redhat people regarding security in general.
[1] https://cockpit-project.org/
It's relatively new so doesn't have much history, there is a CVE for it,
but categorised as DoS.
<https://www.cvedetails.com/cve/CVE-2019-3804/>
I'm not a fan of replacing CLI tasks with GUIs when it comes to server
farms. RedHats Ansible is better placed for this, IMHO. My main concern
with a tool like Cockpit is that web GUIs present an attack surface that
wasn't there before the GUI was enabled, and it is this area that is
often reachable from remote (everything's in a public cloud now,
right?). I trust ssh to do authentication far more than a web server
that might have a recently broken .htaccess file that nobody noticed,
for example.
Ed