diff options
| author | Pavel Moravec <pmoravec@redhat.com> | 2021-01-11 12:03:50 +0100 |
|---|---|---|
| committer | Jake Hunsaker <jhunsake@redhat.com> | 2021-01-19 11:44:16 -0500 |
| commit | 9b459d58e7c5a1388ef53e4aab195d59a8f751e3 (patch) | |
| tree | ed1ebe84a27ebd4ab162c788e7cbdc0a912d5bc2 | |
| parent | 486a7918934041306bae8ccc11da2196e8f4c9bb (diff) | |
| download | sos-9b459d58e7c5a1388ef53e4aab195d59a8f751e3.tar.gz | |
[postfix] forbid collecting SSL keys files declared in main.cf
Collecting whole /etc/postfix, we might collect some SSL keys placed
to this directory. Traverse main.cf to identify all such potential
files we must add to forbidden paths.
Resolves: #2362
Signed-off-by: Pavel Moravec <pmoravec@redhat.com>
Signed-off-by: Jake Hunsaker <jhunsake@redhat.com>
| -rw-r--r-- | sos/report/plugins/postfix.py | 36 |
1 files changed, 36 insertions, 0 deletions
diff --git a/sos/report/plugins/postfix.py b/sos/report/plugins/postfix.py index 4e404808..8f584430 100644 --- a/sos/report/plugins/postfix.py +++ b/sos/report/plugins/postfix.py @@ -17,6 +17,41 @@ class Postfix(Plugin): packages = ('postfix',) + def forbidden_ssl_keys_files(self): + # list of attributes defining a location of a SSL key file + # we must forbid from collection + forbid_attributes = [ + "lmtp_tls_dkey_file", + "lmtp_tls_eckey_file", + "lmtp_tls_key_file", + "smtp_tls_dkey_file", + "smtp_tls_eckey_file", + "smtp_tls_key_file", + "smtpd_tls_dkey_file", + "smtpd_tls_eckey_file", + "smtpd_tls_key_file", + "tls_legacy_public_key_fingerprints", + "tlsproxy_tls_dkey_file", + "tlsproxy_tls_eckey_file", + "tlsproxy_tls_key_file", + "smtpd_tls_dh1024_param_file", + "smtpd_tls_dh512_param_file", + "tlsproxy_tls_dh1024_param_file", + "tlsproxy_tls_dh512_param_file", + ] + fp = [] + try: + with open('/etc/postfix/main.cf', 'r') as cffile: + for line in cffile.readlines(): + # ignore comments and take the first word after '=' + if line.startswith('#'): + continue + words = line.split('=') + if words[0].strip() in forbid_attributes: + fp.append(words[1].split()[0]) + finally: + return fp + def setup(self): self.add_copy_spec([ "/etc/postfix/", @@ -31,6 +66,7 @@ class Postfix(Plugin): "/etc/postfix/*.crt", "/etc/postfix/ssl/", ]) + self.add_forbidden_path(self.forbidden_ssl_keys_files()) class RedHatPostfix(Postfix, RedHatPlugin): |