RHEL-07-030770 - The Red Hat Enterprise Linux operating system must audit all uses of the postqueue command.

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.

At a minimum, the organization must audit the full-text recording of privileged postfix commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.

When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and 'unset' in the same way.

Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172

Solution

Configure the operating system to generate audit records when successful/unsuccessful attempts to use the 'postqueue' command occur.

Add or update the following rule in '/etc/audit/rules.d/audit.rules':

-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -k privileged-postfix

The audit daemon must be restarted for the changes to take effect.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_7_V3R9_STIG.zip

Item Details

References: CAT|II, CCI|CCI-000135, CCI|CCI-002884, Rule-ID|SV-204555r861062_rule, STIG-ID|RHEL-07-030770, STIG-Legacy|SV-86801, STIG-Legacy|V-72177, Vuln-ID|V-204555

Plugin: Unix

Control ID: c6257eda7f708e0ad417604c696bbc07bae84324785ba1a2515bc6135c88cd13