Security/Collab: Difference between revisions

(→‎Odds and Ends: add note on OS patches)
(added note on Cookies JSESSIONID and ZM_AUTH_TOKEN / bug 91298)
Line 16: Line 16:
Best practice dictates that you '''always stay up to date with vendor provided OS patches'''.  Also, be sure to follow OS recommended best practices when applying patches (e.g. restarting affected services, tools like '''needs-restarting''', '''needrestart''' and '''checkrestart''' may be helpful when trying to understand which processes are using files that were replaced by a patch). When in doubt about the status of a system after a patch, go ahead and '''reboot''' to ensure the patches take effect.
Best practice dictates that you '''always stay up to date with vendor provided OS patches'''.  Also, be sure to follow OS recommended best practices when applying patches (e.g. restarting affected services, tools like '''needs-restarting''', '''needrestart''' and '''checkrestart''' may be helpful when trying to understand which processes are using files that were replaced by a patch). When in doubt about the status of a system after a patch, go ahead and '''reboot''' to ensure the patches take effect.


=== The ZM_TEST cookie does not set the HttpOnly attribute, is this a problem? ===
=== Cookie ZM_TEST cookie is missing the '''HttpOnly''' attribute, is this a problem? ===
The ZM_TEST cookie in ZCS is used solely to determine if cookies are enabled a the browser.  There are no privileges associated with that cookie.  As such, there is no inherent risk with not having an HttpOnly attribute on this cookie.
The ZM_TEST cookie in ZCS is used solely to determine if cookies are enabled a the browser.  There are no privileges associated with that cookie.  As such, there is no inherent risk with not having an '''HttpOnly''' attribute on this cookie.
 
=== Cookies JSESSIONID and ZM_AUTH_TOKEN are missing the '''Secure''' attribute, why? ===
Typically this is an indication of one of the following (ref: [https://bugzilla.zimbra.com/show_bug.cgi?id=91298 bug 91298]):
* a configuration problem - '''zimbraReverseProxySSLToUpstreamEnabled''' has been set to '''FALSE''' instead of '''TRUE'''
* a site that is performing SSL/TLS offloading - consider adding the '''Secure''' attribute via the device that is performing the offloading

Revision as of 22:13, 18 January 2017

Security Pointers and Tidbits

The main jumping point for security is the Security Center.

Release Specific Settings

Odds and Ends

Here are a few questions that come up from time to time...

An OS Patch/Bug/Vulnerability was announced, is Zimbra affected?

Best practice dictates that you always stay up to date with vendor provided OS patches. Also, be sure to follow OS recommended best practices when applying patches (e.g. restarting affected services, tools like needs-restarting, needrestart and checkrestart may be helpful when trying to understand which processes are using files that were replaced by a patch). When in doubt about the status of a system after a patch, go ahead and reboot to ensure the patches take effect.

Cookie ZM_TEST cookie is missing the HttpOnly attribute, is this a problem?

The ZM_TEST cookie in ZCS is used solely to determine if cookies are enabled a the browser. There are no privileges associated with that cookie. As such, there is no inherent risk with not having an HttpOnly attribute on this cookie.

Cookies JSESSIONID and ZM_AUTH_TOKEN are missing the Secure attribute, why?

Typically this is an indication of one of the following (ref: bug 91298):

  • a configuration problem - zimbraReverseProxySSLToUpstreamEnabled has been set to FALSE instead of TRUE
  • a site that is performing SSL/TLS offloading - consider adding the Secure attribute via the device that is performing the offloading
Jump to: navigation, search