← Rules Catalog
mediumauditverified rollback-safe

Audit uses of the postdrop command

audit-cmd-postdrop · RHEL ≥ 8 · 1 impl

Description

All uses of the postdrop command must be audited. The postdrop command is used by the Postfix mail system for queue management.

Rationale

Auditing postdrop command usage allows detection of mail queue manipulation that could be used for data exfiltration.

Check → Remediate

Checkaudit_rule_exists
rule:
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -k privileged
Remediateaudit_rule_set
rule:
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -k privileged
persist_file:
/etc/audit/rules.d/50-privileged.rules

Framework references

STIG

V-281136 / RHEL-10-500500V-258199 / RHEL-09-654125V-230427

NIST 800-53

AU-2AU-12

Live verification

rhel8:checkrhel9:check
#audit#auditd#privileged#postfix#mail