mediumauditverified ✓rollback-safe
Audit uses of the postqueue command
audit-cmd-postqueue · RHEL ≥ 8 · 1 impl
Description
All uses of the postqueue command must be audited. The postqueue command provides queue management for the Postfix mail system.
Rationale
Auditing postqueue command usage allows detection of mail queue operations that could be used to hide data exfiltration.
Check → Remediate
Checkaudit_rule_exists
- rule:
- -a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -k privileged
Remediateaudit_rule_set
- rule:
- -a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -k privileged
- persist_file:
- /etc/audit/rules.d/50-privileged.rules
Framework references
STIG
V-281137 / RHEL-10-500510V-258200 / RHEL-09-654130V-230428
NIST 800-53
AU-2AU-12
Live verification
rhel8:checkrhel9:check
#audit#auditd#privileged#postfix#mail