Signed-off-by: Willy Santos <wsantos(a)redhat.com>
---
.../checks/dovecot_disable_plaintext_auth.xml | 4 +-
rhel6/src/input/checks/dovecot_enable_ssl.xml | 28 ++++
.../checks/dovecot_login_process_per_conn_yes.xml | 28 ----
.../dovecot_mail_drop_priv_before_exec_yes.xml | 28 ----
rhel6/src/input/services/imap.xml | 130
++++++++------------
5 files changed, 81 insertions(+), 137 deletions(-)
create mode 100644 rhel6/src/input/checks/dovecot_enable_ssl.xml
delete mode 100644
rhel6/src/input/checks/dovecot_login_process_per_conn_yes.xml
delete mode 100644
rhel6/src/input/checks/dovecot_mail_drop_priv_before_exec_yes.xml
diff --git a/rhel6/src/input/checks/dovecot_disable_plaintext_auth.xml
b/rhel6/src/input/checks/dovecot_disable_plaintext_auth.xml
index ecc4795..e755ce4 100644
--- a/rhel6/src/input/checks/dovecot_disable_plaintext_auth.xml
+++ b/rhel6/src/input/checks/dovecot_disable_plaintext_auth.xml
@@ -20,8 +20,8 @@
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="obj_dovecot_disable_plaintext_auth"
version="1">
- <ind:path>/etc</ind:path>
- <ind:filename>dovecot.conf</ind:filename>
+ <ind:path>/etc/dovecot/conf.d</ind:path>
+ <ind:filename>10-auth.conf</ind:filename>
<ind:pattern operation="pattern
match">^[\s]*disable_plaintext_auth[\s]*=[\s]*yes\s*$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
diff --git a/rhel6/src/input/checks/dovecot_enable_ssl.xml
b/rhel6/src/input/checks/dovecot_enable_ssl.xml
new file mode 100644
index 0000000..8a9c62c
--- /dev/null
+++ b/rhel6/src/input/checks/dovecot_enable_ssl.xml
@@ -0,0 +1,28 @@
+<def-group>
+ <definition class="compliance"
+ id="dovecot_enable_ssl" version="1">
+ <metadata>
+ <title>Enable SSL in Dovecot</title>
+ <affected family="unix">
+ <platform>Red Hat Enterprise Linux 6</platform>
+ </affected>
+ <!-- <reference ref_id="CCE:TODO" source="CCE" /> -->
+ <description>SSL capabilities should be enabled for the mail
server.</description>
+ </metadata>
+ <criteria comment="Enable SSL in Dovecot">
+ <criterion test_ref="test_dovecot_enable_ssl" />
+ </criteria>
+ </definition>
+ <ind:textfilecontent54_test check="all" check_existence="all_exist"
+ comment="Tests the value of the ssl[\s]*(<:nocomment:>*)
setting in the /etc/dovecot.conf file"
+ id="test_dovecot_enable_ssl" version="1">
+ <ind:object object_ref="obj_dovecot_enable_ssl" />
+ </ind:textfilecontent54_test>
+ <ind:textfilecontent54_object id="obj_dovecot_enable_ssl"
+ version="1">
+ <ind:path>/etc/dovecot/conf.d</ind:path>
+ <ind:filename>10-ssl.conf</ind:filename>
+ <ind:pattern operation="pattern
match">^[\s]*ssl[\s]*=[\s]*yes\s*$</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+</def-group>
diff --git
a/rhel6/src/input/checks/dovecot_login_process_per_conn_yes.xml
b/rhel6/src/input/checks/dovecot_login_process_per_conn_yes.xml
deleted file mode 100644
index d1569ea..0000000
--- a/rhel6/src/input/checks/dovecot_login_process_per_conn_yes.xml
+++ /dev/null
@@ -1,28 +0,0 @@
-<def-group>
- <definition class="compliance"
- id="dovecot_login_process_per_conn_yes" version="1">
- <metadata>
- <title>Enable login_process_per_connection in Dovecot</title>
- <affected family="unix">
- <platform>Red Hat Enterprise Linux 6</platform>
- </affected>
- <reference ref_id="CCE-4410-7" source="CCE" />
- <description>login_process_per_connection should be
enabled.</description>
- </metadata>
- <criteria comment="Enable login_process_per_connection in Dovecot">
- <criterion test_ref="test_dovecot_login_process_per_conn_yes" />
- </criteria>
- </definition>
- <ind:textfilecontent54_test check="all" check_existence="all_exist"
- comment="Tests the value of the
login_process_per_connection[\s]*(<:nocomment:>*) setting in the
/etc/dovecot.conf file"
- id="test_dovecot_login_process_per_conn_yes" version="1">
- <ind:object object_ref="obj_dovecot_login_process_per_conn_yes" />
- </ind:textfilecontent54_test>
- <ind:textfilecontent54_object id="obj_dovecot_login_process_per_conn_yes"
- version="1">
- <ind:path>/etc</ind:path>
- <ind:filename>dovecot.conf</ind:filename>
- <ind:pattern operation="pattern
match">^[\s]*login_process_per_connection[\s]*=[\s]*yes\s*$</ind:pattern>
- <ind:instance datatype="int">1</ind:instance>
- </ind:textfilecontent54_object>
-</def-group>
diff --git
a/rhel6/src/input/checks/dovecot_mail_drop_priv_before_exec_yes.xml
b/rhel6/src/input/checks/dovecot_mail_drop_priv_before_exec_yes.xml
deleted file mode 100644
index edb721a..0000000
--- a/rhel6/src/input/checks/dovecot_mail_drop_priv_before_exec_yes.xml
+++ /dev/null
@@ -1,28 +0,0 @@
-<def-group>
- <definition class="compliance"
- id="dovecot_mail_drop_priv_before_exec_yes" version="1">
- <metadata>
- <title>Enable login_process_per_connection in Dovecot</title>
- <affected family="unix">
- <platform>Red Hat Enterprise Linux 6</platform>
- </affected>
- <reference ref_id="CCE-4410-7" source="CCE" />
- <description>login_process_per_connection should be
enabled.</description>
- </metadata>
- <criteria comment="Enable login_process_per_connection in Dovecot">
- <criterion test_ref="test_dovecot_mail_drop_priv_before_exec_yes" />
- </criteria>
- </definition>
- <ind:textfilecontent54_test check="all" check_existence="all_exist"
- comment="Tests the value of the
mail_drop_priv_before_exec[\s]*(<:nocomment:>*) setting in the
/etc/dovecot.conf file"
- id="test_dovecot_mail_drop_priv_before_exec_yes" version="1">
- <ind:object object_ref="obj_dovecot_mail_drop_priv_before_exec_yes" />
- </ind:textfilecontent54_test>
- <ind:textfilecontent54_object
id="obj_dovecot_mail_drop_priv_before_exec_yes"
- version="1">
- <ind:path>/etc</ind:path>
- <ind:filename>dovecot.conf</ind:filename>
- <ind:pattern operation="pattern
match">^[\s]*mail_drop_priv_before_exec[\s]*=[\s]*yes\s*$</ind:pattern>
- <ind:instance datatype="int">1</ind:instance>
- </ind:textfilecontent54_object>
-</def-group>
diff --git a/rhel6/src/input/services/imap.xml
b/rhel6/src/input/services/imap.xml
index cb6c644..96a43a9 100644
--- a/rhel6/src/input/services/imap.xml
+++ b/rhel6/src/input/services/imap.xml
@@ -53,7 +53,7 @@ the recommendations below.
<title>Support Only the Necessary Protocols</title>
<description>Dovecot supports the IMAP and POP3 protocols, as well as
SSL-protected versions of those protocols. Configure the Dovecot
server -to support only the protocols needed by your site. Edit
<tt>/etc/dovecot.conf</tt>. +to support only the protocols needed by
your site. Edit <tt>/etc/dovecot/dovecot.conf</tt>. Add or correct the
following lines, replacing <tt>PROTOCOL</tt> with only the subset of
protocols (<tt>imap</tt>, <tt>imaps</tt>, <tt>pop3</tt>,
<tt>pop3s</tt>) required:
@@ -76,7 +76,7 @@ to base an attack.</rationale>
<!-- <oval id="dovecot_support_necessary_protocols" /> -->
</Rule>
-<Group id="dovecot_enable_ssl">
+<Group id="dovecot_enabling_ssl">
<title>Enable SSL Support</title>
<description>SSL should be used to encrypt network traffic between the
Dovecot server and its clients. Users must authenticate to the Dovecot
@@ -87,17 +87,33 @@ to authenticate the server, preventing another
system from impersonating
the server.
</description>
+<Rule id="dovecot_enable_ssl">
+<title>Enable the SSL flag in <tt>/etc/dovecot.conf</tt></title>
+<description>To allow clients to make encrypted connections the
<tt>ssl</tt>
+flag in Dovecot's configuration file needs to be set to <tt>yes</tt>.
+<br /><br />
+Edit <tt>/etc/dovecot/conf.d/10-ssl.conf</tt> and add or correct the
following line:
+<pre>ssl = yes</pre>
+</description>
+<rationale>
+SSL encrypt network traffic between the Dovecot server and its clients
+protecting user credentials, mail as it is downloaded, and clients may
use +SSL certificates to authenticate the server, preventing another
system from +impersonating the server.
+</rationale>
+<!-- <ident cce="4239-0" /> -->
+<oval id="dovecot_enable_ssl" />
+</Rule>
+
<Rule id="dovecot_configure_ssl_cert">
-<title>Configure Dovecot to Use the SSL Certificate</title>
-<description>These options tell Dovecot where to find the TLS
-configuration, allowing clients to make encrypted connections.
+<title>Configure Dovecot to Use the SSL Certificate file</title>
+<description>This option tell Dovecot where to find the the mail
+server's SSL Certificate.
<br /><br />
-Edit <tt>/etc/dovecot.conf</tt> and add or correct the following -lines
(ensuring they reference the appropriate files):
-<pre>ssl_cert_file = /etc/pki/tls/imap/servercert.pem
-ssl_key_file = /etc/pki/tls/imap/serverkey.pem
-ssl_ca_file = /etc/pki/tls/CA/cacert.pem
-</pre>
+Edit <tt>/etc/dovecot/conf.d/10-ssl.conf</tt> and add or correct the
following +line. The path below is the default path set by the Dovecot
installation. If +you are using a different path, ensure you reference
the appropriate file:
+<pre>ssl_cert = </etc/pki/dovecot/certs/dovecot.pem</pre>
</description>
<rationale>
SSL certificates are used by the client to authenticate the identity
@@ -106,14 +122,35 @@ Not using SSL to encrypt mail server traffic could
allow unauthorized
access to credentials and mail messages since they are sent in plain
text over the network.
</rationale>
-<!-- <ident cce="4239-0" /> -->
+<!-- <ident cce="CCD:TODO" /> -->
<!-- <oval id="dovecot_configure_ssl_cert" /> -->
</Rule>
+<Rule id="dovecot_configure_ssl_key">
+<title>Configure Dovecot to Use the SSL Key file</title>
+<description>This option tell Dovecot where to find the the mail
+server's SSL Key.
+<br /><br />
+Edit <tt>/etc/dovecot/conf.d/10-ssl.conf</tt> and add or correct the
following +line. The path below is the default path set by the Dovecot
installation. If +you are using a different path, ensure you reference
the appropriate file:
+<pre>ssl_key = </etc/pki/dovecot/private/dovecot.pem</pre>
+</description>
+<rationale>
+SSL certificates are used by the client to authenticate the identity
+of the server, as well as to encrypt credentials and message traffic.
+Not using SSL to encrypt mail server traffic could allow unauthorized
+access to credentials and mail messages since they are sent in plain
+text over the network.
+</rationale>
+<!-- <ident cce="CCE:TODO" /> -->
+<!-- <oval id="dovecot_configure_ssl_key" /> -->
+</Rule>
+
<Rule id="dovecot_disable_plaintext_auth">
<title>Disable Plaintext Authentication</title>
<description>To prevent Dovecot from attempting plaintext
-authentication of clients, edit <tt>/etc/dovecot.conf</tt> and add
+authentication of clients, edit
<tt>/etc/dovecot/conf.d/10-auth.conf</tt> and add
or correct the following line:
<pre>disable_plaintext_auth = yes</pre>
</description>
@@ -125,72 +162,7 @@ attacker access to credentials by monitoring
network traffic.
<oval id="dovecot_disable_plaintext_auth" />
</Rule>
-</Group> <!-- <Group id="dovecot_enable_ssl" -->
-
-<Group id="dovecot_enable_code_flaw_protect">
-<title>Enable Dovecot Options to Protect Against Code Flaws</title>
-<description>IMAP and POP3 are remote authenticated protocols, meaning
that -the server must accept remote connections from anyone, but provide
substantial -services only to clients who have successfully
authenticated. To protect -against security problems, Dovecot splits
these functions into separate -server processes. The <tt>imap-login</tt>
and/or <tt>pop3-login</tt> -processes accept connections from
unauthenticated users, and only spawn -<tt>imap</tt> or <tt>pop3</tt>
processes on successful authentication.
-<br /><br />
-However, the <tt>imap-login</tt> and <tt>pop3-login</tt> processes
-themselves may contain vulnerabilities. Since each of these processes
-operates as a daemon, handling multiple sequential client connections
-from different users, bugs in the code could allow unauthenticated
users -to steal credential data. If the
<tt>login_process_per_connection</tt> option -is enabled, then a
separate <tt>imap-login</tt> or <tt>pop3-login</tt> -process is created
for each new connection, protecting against this class -of problems.
This option has an efficiency cost, but is strongly recommended.
-<br /><br />
-If the <tt>mail_drop_priv_before_exec</tt> option is on, the
<tt>imap-login</tt> -or <tt>pop3-login</tt> process will drop privileges
to the user’s ID after -authentication and before executing the
<tt>imap</tt> or <tt>pop3</tt> -process itself. Under some very limited
circumstances, this could protect -against privilege escalation by
authenticated users. However, if the -mail executable option is used to
run code before starting each user’s session, -it is important to drop
privileges to prevent the custom code from running as root.
-</description>
-
-<Rule id="dovecot_login_process_per_conn_yes">
-<title>login_process_per_connection set to yes</title>
-<description>Setting <tt>login_process_per_connection = yes</tt>, prevents
-possible bugs in the code from allowing unauthenticated users to steal
-credential data when handling multiple sequential client connections
-from different users by creating a separate <tt>imap-login</tt> or
-<tt>pop3-login</tt> process for each new connection.
-<br /><br />
-Edit <tt>/etc/dovecot.conf</tt> and add or correct the following line:
-<pre>login_process_per_connection = yes</pre>
-</description>
-<rationale>
-This setting could protect against an attacker trying to exploit a bug in
-the dovecot code.</rationale>
-<ident cce="4410-7" />
-<oval id="dovecot_login_process_per_conn_yes" />
-</Rule>
-
-<Rule id="dovecot_mail_drop_priv_before_exec_yes">
-<title>mail_drop_priv_before_exec set to yes</title>
-<description>Setting <tt>mail_drop_priv_before_exec = yes</tt>, causes
-the <tt>imap-login</tt> or <tt>pop3-login</tt> process will drop
-privileges to the user’s ID after authentication and before executing
-the <tt>imap</tt> or <tt>pop3</tt> process itself.
-<br /><br />
-Edit <tt>/etc/dovecot.conf</tt> and add or correct the following line:
-<pre>mail_drop_priv_before_exec = yes</pre>
-</description>
-<rationale>
-This setting could protect against privilege escalation by authenticated
-users.</rationale>
-<ident cce="4371-1" />
-<oval id="dovecot_mail_drop_priv_before_exec_yes" />
-</Rule>
-
-</Group> <!-- <Group id="dovecot_enable_code_flaw_protect"> -->
+</Group> <!-- <Group id="dovecot_enabing_ssl" -->
<Group id="dovecot_allow_imap_access">
<title>Allow IMAP Clients to Access the Server</title>
--
1.7.7.6