← Rules Catalog
mediumauditverified rollback-safe

Audit uses of the postqueue command

audit-cmd-postqueue · RHEL ≥ 8 · 1 impl

Description

All uses of the postqueue command must be audited. The postqueue command provides queue management for the Postfix mail system.

Rationale

Auditing postqueue command usage allows detection of mail queue operations that could be used to hide data exfiltration.

Check → Remediate

Checkaudit_rule_exists
rule:
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -k privileged
Remediateaudit_rule_set
rule:
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -k privileged
persist_file:
/etc/audit/rules.d/50-privileged.rules

Framework references

STIG

V-281137 / RHEL-10-500510V-258200 / RHEL-09-654130V-230428

NIST 800-53

AU-2AU-12

Live verification

rhel8:checkrhel9:check
#audit#auditd#privileged#postfix#mail