Signed-off-by: Willy Santos wsantos@redhat.com --- .../checks/dovecot_disable_plaintext_auth.xml | 4 +- rhel6/src/input/checks/dovecot_enable_ssl.xml | 28 ++++ .../checks/dovecot_login_process_per_conn_yes.xml | 28 ---- .../dovecot_mail_drop_priv_before_exec_yes.xml | 28 ---- rhel6/src/input/services/imap.xml | 130 ++++++++------------ 5 files changed, 81 insertions(+), 137 deletions(-) create mode 100644 rhel6/src/input/checks/dovecot_enable_ssl.xml delete mode 100644 rhel6/src/input/checks/dovecot_login_process_per_conn_yes.xml delete mode 100644 rhel6/src/input/checks/dovecot_mail_drop_priv_before_exec_yes.xml
diff --git a/rhel6/src/input/checks/dovecot_disable_plaintext_auth.xml b/rhel6/src/input/checks/dovecot_disable_plaintext_auth.xml index ecc4795..e755ce4 100644 --- a/rhel6/src/input/checks/dovecot_disable_plaintext_auth.xml +++ b/rhel6/src/input/checks/dovecot_disable_plaintext_auth.xml @@ -20,8 +20,8 @@ </ind:textfilecontent54_test> <ind:textfilecontent54_object id="obj_dovecot_disable_plaintext_auth" version="1"> - ind:path/etc</ind:path> - ind:filenamedovecot.conf</ind:filename> + ind:path/etc/dovecot/conf.d</ind:path> + ind:filename10-auth.conf</ind:filename> <ind:pattern operation="pattern match">^[\s]*disable_plaintext_auth[\s]*=[\s]*yes\s*$</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object> diff --git a/rhel6/src/input/checks/dovecot_enable_ssl.xml b/rhel6/src/input/checks/dovecot_enable_ssl.xml new file mode 100644 index 0000000..8a9c62c --- /dev/null +++ b/rhel6/src/input/checks/dovecot_enable_ssl.xml @@ -0,0 +1,28 @@ +<def-group> + <definition class="compliance" + id="dovecot_enable_ssl" version="1"> + <metadata> + <title>Enable SSL in Dovecot</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + </affected> + <!-- <reference ref_id="CCE:TODO" source="CCE" /> --> + <description>SSL capabilities should be enabled for the mail server.</description> + </metadata> + <criteria comment="Enable SSL in Dovecot"> + <criterion test_ref="test_dovecot_enable_ssl" /> + </criteria> + </definition> + <ind:textfilecontent54_test check="all" check_existence="all_exist" + comment="Tests the value of the ssl[\s]*(<:nocomment:>*) setting in the /etc/dovecot.conf file" + id="test_dovecot_enable_ssl" version="1"> + <ind:object object_ref="obj_dovecot_enable_ssl" /> + </ind:textfilecontent54_test> + <ind:textfilecontent54_object id="obj_dovecot_enable_ssl" + version="1"> + ind:path/etc/dovecot/conf.d</ind:path> + ind:filename10-ssl.conf</ind:filename> + <ind:pattern operation="pattern match">^[\s]*ssl[\s]*=[\s]*yes\s*$</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> +</def-group> diff --git a/rhel6/src/input/checks/dovecot_login_process_per_conn_yes.xml b/rhel6/src/input/checks/dovecot_login_process_per_conn_yes.xml deleted file mode 100644 index d1569ea..0000000 --- a/rhel6/src/input/checks/dovecot_login_process_per_conn_yes.xml +++ /dev/null @@ -1,28 +0,0 @@ -<def-group> - <definition class="compliance" - id="dovecot_login_process_per_conn_yes" version="1"> - <metadata> - <title>Enable login_process_per_connection in Dovecot</title> - <affected family="unix"> - <platform>Red Hat Enterprise Linux 6</platform> - </affected> - <reference ref_id="CCE-4410-7" source="CCE" /> - <description>login_process_per_connection should be enabled.</description> - </metadata> - <criteria comment="Enable login_process_per_connection in Dovecot"> - <criterion test_ref="test_dovecot_login_process_per_conn_yes" /> - </criteria> - </definition> - <ind:textfilecontent54_test check="all" check_existence="all_exist" - comment="Tests the value of the login_process_per_connection[\s]*(<:nocomment:>*) setting in the /etc/dovecot.conf file" - id="test_dovecot_login_process_per_conn_yes" version="1"> - <ind:object object_ref="obj_dovecot_login_process_per_conn_yes" /> - </ind:textfilecontent54_test> - <ind:textfilecontent54_object id="obj_dovecot_login_process_per_conn_yes" - version="1"> - ind:path/etc</ind:path> - ind:filenamedovecot.conf</ind:filename> - <ind:pattern operation="pattern match">^[\s]*login_process_per_connection[\s]*=[\s]*yes\s*$</ind:pattern> - <ind:instance datatype="int">1</ind:instance> - </ind:textfilecontent54_object> -</def-group> diff --git a/rhel6/src/input/checks/dovecot_mail_drop_priv_before_exec_yes.xml b/rhel6/src/input/checks/dovecot_mail_drop_priv_before_exec_yes.xml deleted file mode 100644 index edb721a..0000000 --- a/rhel6/src/input/checks/dovecot_mail_drop_priv_before_exec_yes.xml +++ /dev/null @@ -1,28 +0,0 @@ -<def-group> - <definition class="compliance" - id="dovecot_mail_drop_priv_before_exec_yes" version="1"> - <metadata> - <title>Enable login_process_per_connection in Dovecot</title> - <affected family="unix"> - <platform>Red Hat Enterprise Linux 6</platform> - </affected> - <reference ref_id="CCE-4410-7" source="CCE" /> - <description>login_process_per_connection should be enabled.</description> - </metadata> - <criteria comment="Enable login_process_per_connection in Dovecot"> - <criterion test_ref="test_dovecot_mail_drop_priv_before_exec_yes" /> - </criteria> - </definition> - <ind:textfilecontent54_test check="all" check_existence="all_exist" - comment="Tests the value of the mail_drop_priv_before_exec[\s]*(<:nocomment:>*) setting in the /etc/dovecot.conf file" - id="test_dovecot_mail_drop_priv_before_exec_yes" version="1"> - <ind:object object_ref="obj_dovecot_mail_drop_priv_before_exec_yes" /> - </ind:textfilecontent54_test> - <ind:textfilecontent54_object id="obj_dovecot_mail_drop_priv_before_exec_yes" - version="1"> - ind:path/etc</ind:path> - ind:filenamedovecot.conf</ind:filename> - <ind:pattern operation="pattern match">^[\s]*mail_drop_priv_before_exec[\s]*=[\s]*yes\s*$</ind:pattern> - <ind:instance datatype="int">1</ind:instance> - </ind:textfilecontent54_object> -</def-group> diff --git a/rhel6/src/input/services/imap.xml b/rhel6/src/input/services/imap.xml index cb6c644..96a43a9 100644 --- a/rhel6/src/input/services/imap.xml +++ b/rhel6/src/input/services/imap.xml @@ -53,7 +53,7 @@ the recommendations below. <title>Support Only the Necessary Protocols</title> <description>Dovecot supports the IMAP and POP3 protocols, as well as SSL-protected versions of those protocols. Configure the Dovecot server -to support only the protocols needed by your site. Edit <tt>/etc/dovecot.conf</tt>. +to support only the protocols needed by your site. Edit <tt>/etc/dovecot/dovecot.conf</tt>. Add or correct the following lines, replacing <tt>PROTOCOL</tt> with only the subset of protocols (<tt>imap</tt>, <tt>imaps</tt>, <tt>pop3</tt>, <tt>pop3s</tt>) required: @@ -76,7 +76,7 @@ to base an attack.</rationale> <!-- <oval id="dovecot_support_necessary_protocols" /> --> </Rule> -<Group id="dovecot_enable_ssl"> +<Group id="dovecot_enabling_ssl"> <title>Enable SSL Support</title> <description>SSL should be used to encrypt network traffic between the Dovecot server and its clients. Users must authenticate to the Dovecot @@ -87,17 +87,33 @@ to authenticate the server, preventing another system from impersonating the server. </description> +<Rule id="dovecot_enable_ssl"> +<title>Enable the SSL flag in <tt>/etc/dovecot.conf</tt></title> +<description>To allow clients to make encrypted connections the <tt>ssl</tt> +flag in Dovecot's configuration file needs to be set to <tt>yes</tt>. +<br /><br /> +Edit <tt>/etc/dovecot/conf.d/10-ssl.conf</tt> and add or correct the following line: +<pre>ssl = yes</pre> +</description> +<rationale> +SSL encrypt network traffic between the Dovecot server and its clients +protecting user credentials, mail as it is downloaded, and clients may use +SSL certificates to authenticate the server, preventing another system from +impersonating the server. +</rationale> +<!-- <ident cce="4239-0" /> --> +<oval id="dovecot_enable_ssl" /> +</Rule> + <Rule id="dovecot_configure_ssl_cert"> -<title>Configure Dovecot to Use the SSL Certificate</title> -<description>These options tell Dovecot where to find the TLS -configuration, allowing clients to make encrypted connections. +<title>Configure Dovecot to Use the SSL Certificate file</title> +<description>This option tell Dovecot where to find the the mail +server's SSL Certificate. <br /><br /> -Edit <tt>/etc/dovecot.conf</tt> and add or correct the following -lines (ensuring they reference the appropriate files): -<pre>ssl_cert_file = /etc/pki/tls/imap/servercert.pem -ssl_key_file = /etc/pki/tls/imap/serverkey.pem -ssl_ca_file = /etc/pki/tls/CA/cacert.pem -</pre> +Edit <tt>/etc/dovecot/conf.d/10-ssl.conf</tt> and add or correct the following +line. The path below is the default path set by the Dovecot installation. If +you are using a different path, ensure you reference the appropriate file: +<pre>ssl_cert = </etc/pki/dovecot/certs/dovecot.pem</pre> </description> <rationale> SSL certificates are used by the client to authenticate the identity @@ -106,14 +122,35 @@ Not using SSL to encrypt mail server traffic could allow unauthorized access to credentials and mail messages since they are sent in plain text over the network. </rationale> -<!-- <ident cce="4239-0" /> --> +<!-- <ident cce="CCD:TODO" /> --> <!-- <oval id="dovecot_configure_ssl_cert" /> --> </Rule> +<Rule id="dovecot_configure_ssl_key"> +<title>Configure Dovecot to Use the SSL Key file</title> +<description>This option tell Dovecot where to find the the mail +server's SSL Key. +<br /><br /> +Edit <tt>/etc/dovecot/conf.d/10-ssl.conf</tt> and add or correct the following +line. The path below is the default path set by the Dovecot installation. If +you are using a different path, ensure you reference the appropriate file: +<pre>ssl_key = </etc/pki/dovecot/private/dovecot.pem</pre> +</description> +<rationale> +SSL certificates are used by the client to authenticate the identity +of the server, as well as to encrypt credentials and message traffic. +Not using SSL to encrypt mail server traffic could allow unauthorized +access to credentials and mail messages since they are sent in plain +text over the network. +</rationale> +<!-- <ident cce="CCE:TODO" /> --> +<!-- <oval id="dovecot_configure_ssl_key" /> --> +</Rule> + <Rule id="dovecot_disable_plaintext_auth"> <title>Disable Plaintext Authentication</title> <description>To prevent Dovecot from attempting plaintext -authentication of clients, edit <tt>/etc/dovecot.conf</tt> and add +authentication of clients, edit <tt>/etc/dovecot/conf.d/10-auth.conf</tt> and add or correct the following line: <pre>disable_plaintext_auth = yes</pre> </description> @@ -125,72 +162,7 @@ attacker access to credentials by monitoring network traffic. <oval id="dovecot_disable_plaintext_auth" /> </Rule> -</Group> <!-- <Group id="dovecot_enable_ssl" --> - -<Group id="dovecot_enable_code_flaw_protect"> -<title>Enable Dovecot Options to Protect Against Code Flaws</title> -<description>IMAP and POP3 are remote authenticated protocols, meaning that -the server must accept remote connections from anyone, but provide substantial -services only to clients who have successfully authenticated. To protect -against security problems, Dovecot splits these functions into separate -server processes. The <tt>imap-login</tt> and/or <tt>pop3-login</tt> -processes accept connections from unauthenticated users, and only spawn -<tt>imap</tt> or <tt>pop3</tt> processes on successful authentication. -<br /><br /> -However, the <tt>imap-login</tt> and <tt>pop3-login</tt> processes -themselves may contain vulnerabilities. Since each of these processes -operates as a daemon, handling multiple sequential client connections -from different users, bugs in the code could allow unauthenticated users -to steal credential data. If the <tt>login_process_per_connection</tt> option -is enabled, then a separate <tt>imap-login</tt> or <tt>pop3-login</tt> -process is created for each new connection, protecting against this class -of problems. This option has an efficiency cost, but is strongly recommended. -<br /><br /> -If the <tt>mail_drop_priv_before_exec</tt> option is on, the <tt>imap-login</tt> -or <tt>pop3-login</tt> process will drop privileges to the user’s ID after -authentication and before executing the <tt>imap</tt> or <tt>pop3</tt> -process itself. Under some very limited circumstances, this could protect -against privilege escalation by authenticated users. However, if the -mail executable option is used to run code before starting each user’s session, -it is important to drop privileges to prevent the custom code from running as root. -</description> - -<Rule id="dovecot_login_process_per_conn_yes"> -<title>login_process_per_connection set to yes</title> -<description>Setting <tt>login_process_per_connection = yes</tt>, prevents -possible bugs in the code from allowing unauthenticated users to steal -credential data when handling multiple sequential client connections -from different users by creating a separate <tt>imap-login</tt> or -<tt>pop3-login</tt> process for each new connection. -<br /><br /> -Edit <tt>/etc/dovecot.conf</tt> and add or correct the following line: -<pre>login_process_per_connection = yes</pre> -</description> -<rationale> -This setting could protect against an attacker trying to exploit a bug in -the dovecot code.</rationale> -<ident cce="4410-7" /> -<oval id="dovecot_login_process_per_conn_yes" /> -</Rule> - -<Rule id="dovecot_mail_drop_priv_before_exec_yes"> -<title>mail_drop_priv_before_exec set to yes</title> -<description>Setting <tt>mail_drop_priv_before_exec = yes</tt>, causes -the <tt>imap-login</tt> or <tt>pop3-login</tt> process will drop -privileges to the user’s ID after authentication and before executing -the <tt>imap</tt> or <tt>pop3</tt> process itself. -<br /><br /> -Edit <tt>/etc/dovecot.conf</tt> and add or correct the following line: -<pre>mail_drop_priv_before_exec = yes</pre> -</description> -<rationale> -This setting could protect against privilege escalation by authenticated -users.</rationale> -<ident cce="4371-1" /> -<oval id="dovecot_mail_drop_priv_before_exec_yes" /> -</Rule> - -</Group> <!-- <Group id="dovecot_enable_code_flaw_protect"> --> +</Group> <!-- <Group id="dovecot_enabing_ssl" --> <Group id="dovecot_allow_imap_access"> <title>Allow IMAP Clients to Access the Server</title>
I ACK this (along with the earlier Dovecot patches, which this patch patches). Please try to push all together, or commit and push as a single, consolidated, tested patch.
Thanks.
On 04/26/2012 02:49 PM, Willy Santos wrote:
Signed-off-by: Willy Santos wsantos@redhat.com
.../checks/dovecot_disable_plaintext_auth.xml | 4 +- rhel6/src/input/checks/dovecot_enable_ssl.xml | 28 ++++ .../checks/dovecot_login_process_per_conn_yes.xml | 28 ---- .../dovecot_mail_drop_priv_before_exec_yes.xml | 28 ---- rhel6/src/input/services/imap.xml | 130 ++++++++------------ 5 files changed, 81 insertions(+), 137 deletions(-) create mode 100644 rhel6/src/input/checks/dovecot_enable_ssl.xml delete mode 100644 rhel6/src/input/checks/dovecot_login_process_per_conn_yes.xml delete mode 100644 rhel6/src/input/checks/dovecot_mail_drop_priv_before_exec_yes.xml
diff --git a/rhel6/src/input/checks/dovecot_disable_plaintext_auth.xml b/rhel6/src/input/checks/dovecot_disable_plaintext_auth.xml index ecc4795..e755ce4 100644 --- a/rhel6/src/input/checks/dovecot_disable_plaintext_auth.xml +++ b/rhel6/src/input/checks/dovecot_disable_plaintext_auth.xml @@ -20,8 +20,8 @@ </ind:textfilecontent54_test> <ind:textfilecontent54_object id="obj_dovecot_disable_plaintext_auth" version="1">
- ind:path/etc</ind:path>
- ind:filenamedovecot.conf</ind:filename>
- ind:path/etc/dovecot/conf.d</ind:path>
- ind:filename10-auth.conf</ind:filename> <ind:pattern operation="pattern
match">^[\s]*disable_plaintext_auth[\s]*=[\s]*yes\s*$</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object> diff --git a/rhel6/src/input/checks/dovecot_enable_ssl.xml b/rhel6/src/input/checks/dovecot_enable_ssl.xml new file mode 100644 index 0000000..8a9c62c --- /dev/null +++ b/rhel6/src/input/checks/dovecot_enable_ssl.xml @@ -0,0 +1,28 @@ +<def-group>
- <definition class="compliance"
- id="dovecot_enable_ssl" version="1">
<metadata>
<title>Enable SSL in Dovecot</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
</affected>
<!-- <reference ref_id="CCE:TODO" source="CCE" /> -->
<description>SSL capabilities should be enabled for the mail
server.</description>
</metadata>
<criteria comment="Enable SSL in Dovecot">
<criterion test_ref="test_dovecot_enable_ssl" />
</criteria>
</definition>
- <ind:textfilecontent54_test check="all" check_existence="all_exist"
- comment="Tests the value of the ssl[\s]*(<:nocomment:>*)
setting in the /etc/dovecot.conf file"
- id="test_dovecot_enable_ssl" version="1">
- <ind:object object_ref="obj_dovecot_enable_ssl" />
- </ind:textfilecontent54_test>
- <ind:textfilecontent54_object id="obj_dovecot_enable_ssl"
- version="1">
- ind:path/etc/dovecot/conf.d</ind:path>
- ind:filename10-ssl.conf</ind:filename>
- <ind:pattern operation="pattern
match">^[\s]*ssl[\s]*=[\s]*yes\s*$</ind:pattern>
- <ind:instance datatype="int">1</ind:instance>
- </ind:textfilecontent54_object>
+</def-group> diff --git a/rhel6/src/input/checks/dovecot_login_process_per_conn_yes.xml b/rhel6/src/input/checks/dovecot_login_process_per_conn_yes.xml deleted file mode 100644 index d1569ea..0000000 --- a/rhel6/src/input/checks/dovecot_login_process_per_conn_yes.xml +++ /dev/null @@ -1,28 +0,0 @@ -<def-group>
- <definition class="compliance"
- id="dovecot_login_process_per_conn_yes" version="1">
<metadata>
<title>Enable login_process_per_connection in Dovecot</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
</affected>
<reference ref_id="CCE-4410-7" source="CCE" />
<description>login_process_per_connection should be
enabled.</description>
</metadata>
<criteria comment="Enable login_process_per_connection in Dovecot">
<criterion test_ref="test_dovecot_login_process_per_conn_yes" />
</criteria>
</definition>
- <ind:textfilecontent54_test check="all" check_existence="all_exist"
- comment="Tests the value of the
login_process_per_connection[\s]*(<:nocomment:>*) setting in the /etc/dovecot.conf file"
- id="test_dovecot_login_process_per_conn_yes" version="1">
- <ind:object object_ref="obj_dovecot_login_process_per_conn_yes" />
- </ind:textfilecontent54_test>
- <ind:textfilecontent54_object
id="obj_dovecot_login_process_per_conn_yes"
- version="1">
- ind:path/etc</ind:path>
- ind:filenamedovecot.conf</ind:filename>
- <ind:pattern operation="pattern
match">^[\s]*login_process_per_connection[\s]*=[\s]*yes\s*$</ind:pattern>
- <ind:instance datatype="int">1</ind:instance>
- </ind:textfilecontent54_object>
-</def-group> diff --git a/rhel6/src/input/checks/dovecot_mail_drop_priv_before_exec_yes.xml b/rhel6/src/input/checks/dovecot_mail_drop_priv_before_exec_yes.xml deleted file mode 100644 index edb721a..0000000 --- a/rhel6/src/input/checks/dovecot_mail_drop_priv_before_exec_yes.xml +++ /dev/null @@ -1,28 +0,0 @@ -<def-group>
- <definition class="compliance"
- id="dovecot_mail_drop_priv_before_exec_yes" version="1">
<metadata>
<title>Enable login_process_per_connection in Dovecot</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
</affected>
<reference ref_id="CCE-4410-7" source="CCE" />
<description>login_process_per_connection should be
enabled.</description>
</metadata>
<criteria comment="Enable login_process_per_connection in Dovecot">
<criterion test_ref="test_dovecot_mail_drop_priv_before_exec_yes" />
</criteria>
</definition>
- <ind:textfilecontent54_test check="all" check_existence="all_exist"
- comment="Tests the value of the
mail_drop_priv_before_exec[\s]*(<:nocomment:>*) setting in the /etc/dovecot.conf file"
- id="test_dovecot_mail_drop_priv_before_exec_yes" version="1">
- <ind:object object_ref="obj_dovecot_mail_drop_priv_before_exec_yes" />
- </ind:textfilecontent54_test>
- <ind:textfilecontent54_object
id="obj_dovecot_mail_drop_priv_before_exec_yes"
- version="1">
- ind:path/etc</ind:path>
- ind:filenamedovecot.conf</ind:filename>
- <ind:pattern operation="pattern
match">^[\s]*mail_drop_priv_before_exec[\s]*=[\s]*yes\s*$</ind:pattern>
- <ind:instance datatype="int">1</ind:instance>
- </ind:textfilecontent54_object>
-</def-group> diff --git a/rhel6/src/input/services/imap.xml b/rhel6/src/input/services/imap.xml index cb6c644..96a43a9 100644 --- a/rhel6/src/input/services/imap.xml +++ b/rhel6/src/input/services/imap.xml @@ -53,7 +53,7 @@ the recommendations below.
<title>Support Only the Necessary Protocols</title> <description>Dovecot supports the IMAP and POP3 protocols, as well as SSL-protected versions of those protocols. Configure the Dovecot server -to support only the protocols needed by your site. Edit <tt>/etc/dovecot.conf</tt>. +to support only the protocols needed by your site. Edit <tt>/etc/dovecot/dovecot.conf</tt>. Add or correct the following lines, replacing <tt>PROTOCOL</tt> with only the subset of protocols (<tt>imap</tt>, <tt>imaps</tt>, <tt>pop3</tt>, <tt>pop3s</tt>) required: @@ -76,7 +76,7 @@ to base an attack.</rationale> <!-- <oval id="dovecot_support_necessary_protocols" /> --> </Rule> -<Group id="dovecot_enable_ssl"> +<Group id="dovecot_enabling_ssl"> <title>Enable SSL Support</title> <description>SSL should be used to encrypt network traffic between the Dovecot server and its clients. Users must authenticate to the Dovecot @@ -87,17 +87,33 @@ to authenticate the server, preventing another system from impersonating the server. </description> +<Rule id="dovecot_enable_ssl"> +<title>Enable the SSL flag in <tt>/etc/dovecot.conf</tt></title> +<description>To allow clients to make encrypted connections the <tt>ssl</tt> +flag in Dovecot's configuration file needs to be set to <tt>yes</tt>. +<br /><br /> +Edit <tt>/etc/dovecot/conf.d/10-ssl.conf</tt> and add or correct the following line: +<pre>ssl = yes</pre> +</description> +<rationale> +SSL encrypt network traffic between the Dovecot server and its clients +protecting user credentials, mail as it is downloaded, and clients may use +SSL certificates to authenticate the server, preventing another system from +impersonating the server. +</rationale> +<!-- <ident cce="4239-0" /> --> +<oval id="dovecot_enable_ssl" /> +</Rule> + <Rule id="dovecot_configure_ssl_cert"> -<title>Configure Dovecot to Use the SSL Certificate</title> -<description>These options tell Dovecot where to find the TLS -configuration, allowing clients to make encrypted connections. +<title>Configure Dovecot to Use the SSL Certificate file</title> +<description>This option tell Dovecot where to find the the mail +server's SSL Certificate. <br /><br /> -Edit <tt>/etc/dovecot.conf</tt> and add or correct the following -lines (ensuring they reference the appropriate files): -<pre>ssl_cert_file = /etc/pki/tls/imap/servercert.pem -ssl_key_file = /etc/pki/tls/imap/serverkey.pem -ssl_ca_file = /etc/pki/tls/CA/cacert.pem -</pre> +Edit <tt>/etc/dovecot/conf.d/10-ssl.conf</tt> and add or correct the following +line. The path below is the default path set by the Dovecot installation. If +you are using a different path, ensure you reference the appropriate file: +<pre>ssl_cert = </etc/pki/dovecot/certs/dovecot.pem</pre> </description> <rationale> SSL certificates are used by the client to authenticate the identity @@ -106,14 +122,35 @@ Not using SSL to encrypt mail server traffic could allow unauthorized access to credentials and mail messages since they are sent in plain text over the network. </rationale> -<!-- <ident cce="4239-0" /> --> +<!-- <ident cce="CCD:TODO" /> --> <!-- <oval id="dovecot_configure_ssl_cert" /> --> </Rule> +<Rule id="dovecot_configure_ssl_key"> +<title>Configure Dovecot to Use the SSL Key file</title> +<description>This option tell Dovecot where to find the the mail +server's SSL Key. +<br /><br /> +Edit <tt>/etc/dovecot/conf.d/10-ssl.conf</tt> and add or correct the following +line. The path below is the default path set by the Dovecot installation. If +you are using a different path, ensure you reference the appropriate file: +<pre>ssl_key = </etc/pki/dovecot/private/dovecot.pem</pre> +</description> +<rationale> +SSL certificates are used by the client to authenticate the identity +of the server, as well as to encrypt credentials and message traffic. +Not using SSL to encrypt mail server traffic could allow unauthorized +access to credentials and mail messages since they are sent in plain +text over the network. +</rationale> +<!-- <ident cce="CCE:TODO" /> --> +<!-- <oval id="dovecot_configure_ssl_key" /> --> +</Rule> + <Rule id="dovecot_disable_plaintext_auth"> <title>Disable Plaintext Authentication</title> <description>To prevent Dovecot from attempting plaintext -authentication of clients, edit <tt>/etc/dovecot.conf</tt> and add +authentication of clients, edit <tt>/etc/dovecot/conf.d/10-auth.conf</tt> and add or correct the following line: <pre>disable_plaintext_auth = yes</pre> </description> @@ -125,72 +162,7 @@ attacker access to credentials by monitoring network traffic. <oval id="dovecot_disable_plaintext_auth" /> </Rule> -</Group> <!-- <Group id="dovecot_enable_ssl" --> - -<Group id="dovecot_enable_code_flaw_protect"> -<title>Enable Dovecot Options to Protect Against Code Flaws</title> -<description>IMAP and POP3 are remote authenticated protocols, meaning that -the server must accept remote connections from anyone, but provide substantial -services only to clients who have successfully authenticated. To protect -against security problems, Dovecot splits these functions into separate -server processes. The <tt>imap-login</tt> and/or <tt>pop3-login</tt> -processes accept connections from unauthenticated users, and only spawn -<tt>imap</tt> or <tt>pop3</tt> processes on successful authentication. -<br /><br /> -However, the <tt>imap-login</tt> and <tt>pop3-login</tt> processes -themselves may contain vulnerabilities. Since each of these processes -operates as a daemon, handling multiple sequential client connections -from different users, bugs in the code could allow unauthenticated users -to steal credential data. If the <tt>login_process_per_connection</tt> option -is enabled, then a separate <tt>imap-login</tt> or <tt>pop3-login</tt> -process is created for each new connection, protecting against this class -of problems. This option has an efficiency cost, but is strongly recommended. -<br /><br /> -If the <tt>mail_drop_priv_before_exec</tt> option is on, the <tt>imap-login</tt> -or <tt>pop3-login</tt> process will drop privileges to the user’s ID after -authentication and before executing the <tt>imap</tt> or <tt>pop3</tt> -process itself. Under some very limited circumstances, this could protect -against privilege escalation by authenticated users. However, if the -mail executable option is used to run code before starting each user’s session, -it is important to drop privileges to prevent the custom code from running as root. -</description> - -<Rule id="dovecot_login_process_per_conn_yes"> -<title>login_process_per_connection set to yes</title> -<description>Setting <tt>login_process_per_connection = yes</tt>, prevents -possible bugs in the code from allowing unauthenticated users to steal -credential data when handling multiple sequential client connections -from different users by creating a separate <tt>imap-login</tt> or -<tt>pop3-login</tt> process for each new connection. -<br /><br /> -Edit <tt>/etc/dovecot.conf</tt> and add or correct the following line: -<pre>login_process_per_connection = yes</pre> -</description> -<rationale> -This setting could protect against an attacker trying to exploit a bug in -the dovecot code.</rationale> -<ident cce="4410-7" /> -<oval id="dovecot_login_process_per_conn_yes" /> -</Rule> - -<Rule id="dovecot_mail_drop_priv_before_exec_yes"> -<title>mail_drop_priv_before_exec set to yes</title> -<description>Setting <tt>mail_drop_priv_before_exec = yes</tt>, causes -the <tt>imap-login</tt> or <tt>pop3-login</tt> process will drop -privileges to the user’s ID after authentication and before executing -the <tt>imap</tt> or <tt>pop3</tt> process itself. -<br /><br /> -Edit <tt>/etc/dovecot.conf</tt> and add or correct the following line: -<pre>mail_drop_priv_before_exec = yes</pre> -</description> -<rationale> -This setting could protect against privilege escalation by authenticated -users.</rationale> -<ident cce="4371-1" /> -<oval id="dovecot_mail_drop_priv_before_exec_yes" /> -</Rule> - -</Group> <!-- <Group id="dovecot_enable_code_flaw_protect"> --> +</Group> <!-- <Group id="dovecot_enabing_ssl" --> <Group id="dovecot_allow_imap_access"> <title>Allow IMAP Clients to Access the Server</title>
Pushed.
-Willy
On 05/15/2012 05:18 PM, Jeffrey Blank wrote:
I ACK this (along with the earlier Dovecot patches, which this patch patches). Please try to push all together, or commit and push as a single, consolidated, tested patch.
Thanks.
On 04/26/2012 02:49 PM, Willy Santos wrote:
Signed-off-by: Willy Santoswsantos@redhat.com
.../checks/dovecot_disable_plaintext_auth.xml | 4 +- rhel6/src/input/checks/dovecot_enable_ssl.xml | 28 ++++ .../checks/dovecot_login_process_per_conn_yes.xml | 28 ---- .../dovecot_mail_drop_priv_before_exec_yes.xml | 28 ---- rhel6/src/input/services/imap.xml | 130 ++++++++------------ 5 files changed, 81 insertions(+), 137 deletions(-) create mode 100644 rhel6/src/input/checks/dovecot_enable_ssl.xml delete mode 100644 rhel6/src/input/checks/dovecot_login_process_per_conn_yes.xml delete mode 100644 rhel6/src/input/checks/dovecot_mail_drop_priv_before_exec_yes.xml
diff --git a/rhel6/src/input/checks/dovecot_disable_plaintext_auth.xml b/rhel6/src/input/checks/dovecot_disable_plaintext_auth.xml index ecc4795..e755ce4 100644 --- a/rhel6/src/input/checks/dovecot_disable_plaintext_auth.xml +++ b/rhel6/src/input/checks/dovecot_disable_plaintext_auth.xml @@ -20,8 +20,8 @@ </ind:textfilecontent54_test> <ind:textfilecontent54_object id="obj_dovecot_disable_plaintext_auth" version="1"> -ind:path/etc</ind:path> -ind:filenamedovecot.conf</ind:filename> +ind:path/etc/dovecot/conf.d</ind:path> +ind:filename10-auth.conf</ind:filename> <ind:pattern operation="pattern match">^[\s]*disable_plaintext_auth[\s]*=[\s]*yes\s*$</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object> diff --git a/rhel6/src/input/checks/dovecot_enable_ssl.xml b/rhel6/src/input/checks/dovecot_enable_ssl.xml new file mode 100644 index 0000000..8a9c62c --- /dev/null +++ b/rhel6/src/input/checks/dovecot_enable_ssl.xml @@ -0,0 +1,28 @@ +<def-group> +<definition class="compliance"
- id="dovecot_enable_ssl" version="1">
+<metadata> +<title>Enable SSL in Dovecot</title> +<affected family="unix"> +<platform>Red Hat Enterprise Linux 6</platform> +</affected> +<!--<reference ref_id="CCE:TODO" source="CCE" /> --> +<description>SSL capabilities should be enabled for the mail server.</description> +</metadata> +<criteria comment="Enable SSL in Dovecot"> +<criterion test_ref="test_dovecot_enable_ssl" /> +</criteria> +</definition> +<ind:textfilecontent54_test check="all" check_existence="all_exist"
- comment="Tests the value of the ssl[\s]*(<:nocomment:>*)
setting in the /etc/dovecot.conf file"
- id="test_dovecot_enable_ssl" version="1">
+<ind:object object_ref="obj_dovecot_enable_ssl" /> +</ind:textfilecontent54_test> +<ind:textfilecontent54_object id="obj_dovecot_enable_ssl"
- version="1">
+ind:path/etc/dovecot/conf.d</ind:path> +ind:filename10-ssl.conf</ind:filename> +<ind:pattern operation="pattern match">^[\s]*ssl[\s]*=[\s]*yes\s*$</ind:pattern> +<ind:instance datatype="int">1</ind:instance> +</ind:textfilecontent54_object> +</def-group> diff --git a/rhel6/src/input/checks/dovecot_login_process_per_conn_yes.xml b/rhel6/src/input/checks/dovecot_login_process_per_conn_yes.xml deleted file mode 100644 index d1569ea..0000000 --- a/rhel6/src/input/checks/dovecot_login_process_per_conn_yes.xml +++ /dev/null @@ -1,28 +0,0 @@ -<def-group> -<definition class="compliance"
- id="dovecot_login_process_per_conn_yes" version="1">
-<metadata> -<title>Enable login_process_per_connection in Dovecot</title> -<affected family="unix"> -<platform>Red Hat Enterprise Linux 6</platform> -</affected> -<reference ref_id="CCE-4410-7" source="CCE" /> -<description>login_process_per_connection should be enabled.</description> -</metadata> -<criteria comment="Enable login_process_per_connection in Dovecot"> -<criterion test_ref="test_dovecot_login_process_per_conn_yes" /> -</criteria> -</definition> -<ind:textfilecontent54_test check="all" check_existence="all_exist"
- comment="Tests the value of the
login_process_per_connection[\s]*(<:nocomment:>*) setting in the /etc/dovecot.conf file"
- id="test_dovecot_login_process_per_conn_yes" version="1">
-<ind:object object_ref="obj_dovecot_login_process_per_conn_yes" /> -</ind:textfilecontent54_test> -<ind:textfilecontent54_object id="obj_dovecot_login_process_per_conn_yes"
- version="1">
-ind:path/etc</ind:path> -ind:filenamedovecot.conf</ind:filename> -<ind:pattern operation="pattern match">^[\s]*login_process_per_connection[\s]*=[\s]*yes\s*$</ind:pattern> -<ind:instance datatype="int">1</ind:instance> -</ind:textfilecontent54_object> -</def-group> diff --git a/rhel6/src/input/checks/dovecot_mail_drop_priv_before_exec_yes.xml b/rhel6/src/input/checks/dovecot_mail_drop_priv_before_exec_yes.xml deleted file mode 100644 index edb721a..0000000 --- a/rhel6/src/input/checks/dovecot_mail_drop_priv_before_exec_yes.xml +++ /dev/null @@ -1,28 +0,0 @@ -<def-group> -<definition class="compliance"
- id="dovecot_mail_drop_priv_before_exec_yes" version="1">
-<metadata> -<title>Enable login_process_per_connection in Dovecot</title> -<affected family="unix"> -<platform>Red Hat Enterprise Linux 6</platform> -</affected> -<reference ref_id="CCE-4410-7" source="CCE" /> -<description>login_process_per_connection should be enabled.</description> -</metadata> -<criteria comment="Enable login_process_per_connection in Dovecot"> -<criterion test_ref="test_dovecot_mail_drop_priv_before_exec_yes" /> -</criteria> -</definition> -<ind:textfilecontent54_test check="all" check_existence="all_exist"
- comment="Tests the value of the
mail_drop_priv_before_exec[\s]*(<:nocomment:>*) setting in the /etc/dovecot.conf file"
- id="test_dovecot_mail_drop_priv_before_exec_yes" version="1">
-<ind:object object_ref="obj_dovecot_mail_drop_priv_before_exec_yes" /> -</ind:textfilecontent54_test> -<ind:textfilecontent54_object id="obj_dovecot_mail_drop_priv_before_exec_yes"
- version="1">
-ind:path/etc</ind:path> -ind:filenamedovecot.conf</ind:filename> -<ind:pattern operation="pattern match">^[\s]*mail_drop_priv_before_exec[\s]*=[\s]*yes\s*$</ind:pattern> -<ind:instance datatype="int">1</ind:instance> -</ind:textfilecontent54_object> -</def-group> diff --git a/rhel6/src/input/services/imap.xml b/rhel6/src/input/services/imap.xml index cb6c644..96a43a9 100644 --- a/rhel6/src/input/services/imap.xml +++ b/rhel6/src/input/services/imap.xml @@ -53,7 +53,7 @@ the recommendations below.
<title>Support Only the Necessary Protocols</title> <description>Dovecot supports the IMAP and POP3 protocols, as well as SSL-protected versions of those protocols. Configure the Dovecot server -to support only the protocols needed by your site. Edit <tt>/etc/dovecot.conf</tt>. +to support only the protocols needed by your site. Edit<tt>/etc/dovecot/dovecot.conf</tt>. Add or correct the following lines, replacing<tt>PROTOCOL</tt> with only the subset of protocols (<tt>imap</tt>,<tt>imaps</tt>,<tt>pop3</tt>, <tt>pop3s</tt>) required: @@ -76,7 +76,7 @@ to base an attack.</rationale> <!--<oval id="dovecot_support_necessary_protocols" /> --> </Rule> -<Group id="dovecot_enable_ssl"> +<Group id="dovecot_enabling_ssl"> <title>Enable SSL Support</title> <description>SSL should be used to encrypt network traffic between the Dovecot server and its clients. Users must authenticate to the Dovecot @@ -87,17 +87,33 @@ to authenticate the server, preventing another system from impersonating the server. </description> +<Rule id="dovecot_enable_ssl"> +<title>Enable the SSL flag in<tt>/etc/dovecot.conf</tt></title> +<description>To allow clients to make encrypted connections the <tt>ssl</tt> +flag in Dovecot's configuration file needs to be set to<tt>yes</tt>. +<br /><br /> +Edit<tt>/etc/dovecot/conf.d/10-ssl.conf</tt> and add or correct the following line: +<pre>ssl = yes</pre> +</description> +<rationale> +SSL encrypt network traffic between the Dovecot server and its clients +protecting user credentials, mail as it is downloaded, and clients may use +SSL certificates to authenticate the server, preventing another system from +impersonating the server. +</rationale> +<!--<ident cce="4239-0" /> --> +<oval id="dovecot_enable_ssl" /> +</Rule> + <Rule id="dovecot_configure_ssl_cert"> -<title>Configure Dovecot to Use the SSL Certificate</title> -<description>These options tell Dovecot where to find the TLS -configuration, allowing clients to make encrypted connections. +<title>Configure Dovecot to Use the SSL Certificate file</title> +<description>This option tell Dovecot where to find the the mail +server's SSL Certificate. <br /><br /> -Edit<tt>/etc/dovecot.conf</tt> and add or correct the following -lines (ensuring they reference the appropriate files): -<pre>ssl_cert_file = /etc/pki/tls/imap/servercert.pem -ssl_key_file = /etc/pki/tls/imap/serverkey.pem -ssl_ca_file = /etc/pki/tls/CA/cacert.pem -</pre> +Edit<tt>/etc/dovecot/conf.d/10-ssl.conf</tt> and add or correct the following +line. The path below is the default path set by the Dovecot installation. If +you are using a different path, ensure you reference the appropriate file: +<pre>ssl_cert =</etc/pki/dovecot/certs/dovecot.pem</pre> </description> <rationale> SSL certificates are used by the client to authenticate the identity @@ -106,14 +122,35 @@ Not using SSL to encrypt mail server traffic could allow unauthorized access to credentials and mail messages since they are sent in plain text over the network. </rationale> -<!--<ident cce="4239-0" /> --> +<!--<ident cce="CCD:TODO" /> --> <!--<oval id="dovecot_configure_ssl_cert" /> --> </Rule> +<Rule id="dovecot_configure_ssl_key"> +<title>Configure Dovecot to Use the SSL Key file</title> +<description>This option tell Dovecot where to find the the mail +server's SSL Key. +<br /><br /> +Edit<tt>/etc/dovecot/conf.d/10-ssl.conf</tt> and add or correct the following +line. The path below is the default path set by the Dovecot installation. If +you are using a different path, ensure you reference the appropriate file: +<pre>ssl_key =</etc/pki/dovecot/private/dovecot.pem</pre> +</description> +<rationale> +SSL certificates are used by the client to authenticate the identity +of the server, as well as to encrypt credentials and message traffic. +Not using SSL to encrypt mail server traffic could allow unauthorized +access to credentials and mail messages since they are sent in plain +text over the network. +</rationale> +<!--<ident cce="CCE:TODO" /> --> +<!--<oval id="dovecot_configure_ssl_key" /> --> +</Rule> + <Rule id="dovecot_disable_plaintext_auth"> <title>Disable Plaintext Authentication</title> <description>To prevent Dovecot from attempting plaintext -authentication of clients, edit<tt>/etc/dovecot.conf</tt> and add +authentication of clients, edit <tt>/etc/dovecot/conf.d/10-auth.conf</tt> and add or correct the following line: <pre>disable_plaintext_auth = yes</pre> </description> @@ -125,72 +162,7 @@ attacker access to credentials by monitoring network traffic. <oval id="dovecot_disable_plaintext_auth" /> </Rule> -</Group> <!--<Group id="dovecot_enable_ssl" --> - -<Group id="dovecot_enable_code_flaw_protect"> -<title>Enable Dovecot Options to Protect Against Code Flaws</title> -<description>IMAP and POP3 are remote authenticated protocols, meaning that -the server must accept remote connections from anyone, but provide substantial -services only to clients who have successfully authenticated. To protect -against security problems, Dovecot splits these functions into separate -server processes. The<tt>imap-login</tt> and/or<tt>pop3-login</tt> -processes accept connections from unauthenticated users, and only spawn -<tt>imap</tt> or<tt>pop3</tt> processes on successful authentication. -<br /><br /> -However, the<tt>imap-login</tt> and<tt>pop3-login</tt> processes -themselves may contain vulnerabilities. Since each of these processes -operates as a daemon, handling multiple sequential client connections -from different users, bugs in the code could allow unauthenticated users -to steal credential data. If the <tt>login_process_per_connection</tt> option -is enabled, then a separate<tt>imap-login</tt> or<tt>pop3-login</tt> -process is created for each new connection, protecting against this class -of problems. This option has an efficiency cost, but is strongly recommended. -<br /><br /> -If the<tt>mail_drop_priv_before_exec</tt> option is on, the <tt>imap-login</tt> -or<tt>pop3-login</tt> process will drop privileges to the user’s ID after -authentication and before executing the <tt>imap</tt> or<tt>pop3</tt> -process itself. Under some very limited circumstances, this could protect -against privilege escalation by authenticated users. However, if the -mail executable option is used to run code before starting each user’s session, -it is important to drop privileges to prevent the custom code from running as root. -</description> - -<Rule id="dovecot_login_process_per_conn_yes"> -<title>login_process_per_connection set to yes</title> -<description>Setting<tt>login_process_per_connection = yes</tt>, prevents -possible bugs in the code from allowing unauthenticated users to steal -credential data when handling multiple sequential client connections -from different users by creating a separate<tt>imap-login</tt> or -<tt>pop3-login</tt> process for each new connection. -<br /><br /> -Edit<tt>/etc/dovecot.conf</tt> and add or correct the following line: -<pre>login_process_per_connection = yes</pre> -</description> -<rationale> -This setting could protect against an attacker trying to exploit a bug in -the dovecot code.</rationale> -<ident cce="4410-7" /> -<oval id="dovecot_login_process_per_conn_yes" /> -</Rule> - -<Rule id="dovecot_mail_drop_priv_before_exec_yes"> -<title>mail_drop_priv_before_exec set to yes</title> -<description>Setting<tt>mail_drop_priv_before_exec = yes</tt>, causes -the<tt>imap-login</tt> or<tt>pop3-login</tt> process will drop -privileges to the user’s ID after authentication and before executing -the<tt>imap</tt> or<tt>pop3</tt> process itself. -<br /><br /> -Edit<tt>/etc/dovecot.conf</tt> and add or correct the following line: -<pre>mail_drop_priv_before_exec = yes</pre> -</description> -<rationale> -This setting could protect against privilege escalation by authenticated -users.</rationale> -<ident cce="4371-1" /> -<oval id="dovecot_mail_drop_priv_before_exec_yes" /> -</Rule> - -</Group> <!--<Group id="dovecot_enable_code_flaw_protect"> --> +</Group> <!--<Group id="dovecot_enabing_ssl" --> <Group id="dovecot_allow_imap_access"> <title>Allow IMAP Clients to Access the Server</title>
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/scap-security-guide
scap-security-guide@lists.fedorahosted.org