mediumauditverified ✓rollback-safe
Audit uses of the postdrop command
audit-cmd-postdrop · RHEL ≥ 8 · 1 impl
Description
All uses of the postdrop command must be audited. The postdrop command is used by the Postfix mail system for queue management.
Rationale
Auditing postdrop command usage allows detection of mail queue manipulation that could be used for data exfiltration.
Check → Remediate
Checkaudit_rule_exists
- rule:
- -a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -k privileged
Remediateaudit_rule_set
- rule:
- -a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -k privileged
- persist_file:
- /etc/audit/rules.d/50-privileged.rules
Framework references
STIG
V-281136 / RHEL-10-500500V-258199 / RHEL-09-654125V-230427
NIST 800-53
AU-2AU-12
Live verification
rhel8:checkrhel9:check
#audit#auditd#privileged#postfix#mail