GEN004370 - The aliases file must be group-owned by root, sys, bin, or system - '/etc/postfix/aliases.db'

Information

If the alias file is not group-owned by root or a system group, an unauthorized user may modify the file adding aliases to run malicious code or redirect e-mail.

Solution

Change the group-owner of the /etc/aliases file.

Procedure:
for sendmail:
# chgrp root /etc/aliases
# chgrp smmsp /etc/aliases.db

The aliases.db file must be owned by the same system group as sendmail, which is smmsp by default.

for postfix
# chgrp root /etc/postfix/aliases
# chgrp root /etc/postfix/aliases.db

See Also

http://iasecontent.disa.mil/stigs/zip/U_RedHat_5_V1R18_STIG.zip

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-6, CAT|II, CCI|CCI-000225, Group-ID|V-22438, Rule-ID|SV-37473r2_rule, STIG-ID|GEN004370, Vuln-ID|V-22438

Plugin: Unix

Control ID: 991f960d76ec369c0dfc87985f2ab48269d093e735e32eb25b579bfe45ed844d