GEN004370 - The aliases file must be group-owned by root, sys, bin, or system - '/etc/aliases.db'

Information

If the alias file is not group-owned by root or a system group, an unauthorized user may modify the file adding aliases to run malicious code or redirect e-mail.

Solution

Change the group-owner of the /etc/aliases file.

Procedure:
for sendmail:
# chgrp root /etc/aliases
# chgrp smmsp /etc/aliases.db

The aliases.db file must be owned by the same system group as sendmail, which is smmsp by default.

for postfix
# chgrp root /etc/postfix/aliases
# chgrp root /etc/postfix/aliases.db

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Oracle_Linux_5_V2R1_STIG.zip

Item Details

Category: ACCESS CONTROL, CONFIGURATION MANAGEMENT

References: 800-53|AC-6, 800-53|CM-5(6), CAT|II, CCI|CCI-000225, CCI|CCI-001499, Rule-ID|SV-218532r603259_rule, STIG-ID|GEN004370, STIG-Legacy|SV-63613, STIG-Legacy|V-22438, Vuln-ID|V-218532

Plugin: Unix

Control ID: 4e350248f65800cb3e88423e08119b2f6aaa08014a92c746b3ecc06408b28826