The Sendmail server must have the debug feature disabled.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-4690	GEN004620	SV-4690r2_rule	ECSC-1	High

Description
Debug mode is a feature present in older versions of Sendmail which, if not disabled, may allow an attacker to gain access to a system through the Sendmail service.

STIG	Date
UNIX SRG	2013-03-26

Details

Check Text ( C-652r3_chk )
Check for an enabled debug command provided by the SMTP service. Procedure: # telnet localhost 25 debug If the command does not return a 500 error code of command unrecognized, this is a finding. If telnet is unavailable for testing, check the version of sendmail installed on the system. # echo \$Z \| /usr/sbin/sendmail -bt -d0 If the sendmail reported version is less than 8.6, this is a finding.

Check Text ( C-652r3_chk )

Check for an enabled debug command provided by the SMTP service.

Procedure:
# telnet localhost 25
debug

If the command does not return a 500 error code of command unrecognized, this is a finding.

If telnet is unavailable for testing, check the version of sendmail installed on the system.

# echo \$Z | /usr/sbin/sendmail -bt -d0

If the sendmail reported version is less than 8.6, this is a finding.

Fix Text (F-4618r2_fix)
Obtain and install a more recent version of Sendmail, which does not implement the DEBUG feature.