Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-22442 | GEN004510 | SV-37503r3_rule | Medium |
Description |
---|
If the SMTP service log file has an extended ACL, unauthorized users may be allowed to access or to modify the log file. |
STIG | Date |
---|---|
Red Hat Enterprise Linux 5 Security Technical Implementation Guide | 2016-06-01 |
Check Text ( C-36160r4_chk ) |
---|
Depending on what system is used for log processing, either /etc/syslog.conf or /etc/rsyslog.conf will be the logging configuration file. Examine /etc/syslog.conf or /etc/rsyslog.conf and determine the log file(s) receiving logs for "mail.crit", "mail.debug", mail.*, or "*.crit". Procedure: This check is applicable to both Postfix and sendmail servers. Check the permissions on these log files.Identify any log files configured for "*.crit" and the "mail" service (excluding mail.none) and at any severity level. For syslog: # egrep "(\*.crit|mail\.[^n][^/]*)" /etc/syslog.conf|sed 's/^[^/]*//'|xargs ls -lL For rsyslog: # egrep "(\*.crit|mail\.[^n][^/]*)" /etc/rsyslog.conf|sed 's/^[^/]*//'|xargs ls -lL If the permissions include a '+', the file has an extended ACL. If the file has an extended ACL and it has not been documented with the ISSO, this is a finding. |
Fix Text (F-31411r1_fix) |
---|
This fix is applicable to both Postfix and sendmail servers. Remove the extended ACL from the file. # setfacl --remove-all |