The sendmail server must have the debug feature disabled on AIX systems.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-215414	AIX7-00-003116	SV-215414r508663_rule		Medium

Description
Debug mode is a feature present in older versions of Sendmail which, if not disabled, may allow an attacker to gain access to a system through the Sendmail service.

STIG	Date
IBM AIX 7.x Security Technical Implementation Guide	2022-06-06

Details

Check Text ( C-16612r294693_chk )
Check the version of "sendmail" installed on the system using: # echo \$Z \| /usr/sbin/sendmail -bt -d0 The above command should yield the following output: Version AIX7.2/8.14.4 Compiled with: DNSMAP LDAPMAP LDAP_REFERRALS LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8 MIME8TO7 NAMED_BIND NDBM NETINET NETINET6 NETUNIX NEWDB NIS NISPLUS PIPELINING SCANF USERDB USE_LDAP_INIT USE_TTYPATH XDEBUG If the "sendmail" reported version is less than "8.6", this is a finding.

Check Text ( C-16612r294693_chk )

Check the version of "sendmail" installed on the system using:
# echo \$Z | /usr/sbin/sendmail -bt -d0

The above command should yield the following output:
Version AIX7.2/8.14.4
Compiled with: DNSMAP LDAPMAP LDAP_REFERRALS LOG MAP_REGEX MATCHGECOS
MILTER MIME7TO8 MIME8TO7 NAMED_BIND NDBM NETINET NETINET6
NETUNIX NEWDB NIS NISPLUS PIPELINING SCANF USERDB USE_LDAP_INIT
USE_TTYPATH XDEBUG

If the "sendmail" reported version is less than "8.6", this is a finding.

Fix Text (F-16610r294694_fix)
Obtain and install a more recent version of "Sendmail", which does not implement the DEBUG feature.