STIGQter STIGQter: STIG Summary: VMware vRealize Operations Manager 6.x SLES Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 28 Sep 2018: Mail relaying must be restricted.

DISA Rule

SV-99173r1_rule

Vulnerability Number

V-88523

Group Title

SRG-OS-000096-GPOS-00050

Rule Version

VROM-SL-000535

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

If SLES for vRealize does not need to receive mail from external hosts, add one or more "DaemonPortOptions" lines referencing system loopback addresses (such as "O DaemonPortOptions=Addr=127.0.0.1,Port=smtp,Name=MTA") and remove lines containing non-loopback addresses.

# sed -i "s/O DaemonPortOptions=Name=MTA/O DaemonPortOptions=Addr=127.0.0.1,Port=smtp,Name=MTA/" /etc/sendmail.cf

Restart the sendmail service:

# service sendmail restart

Check Contents

Determine if Sendmail only binds to loopback addresses by examining the "DaemonPortOptions" configuration options.

# grep -i "O DaemonPortOptions" /etc/sendmail.cf

If there are uncommented "DaemonPortOptions" lines, and all such lines specify system loopback addresses, this is not a finding.

Otherwise, determine if "Sendmail" is configured to allow open relay operation.

# grep -i promiscuous_relay /etc/mail/sendmail.mc

If the promiscuous relay feature is enabled, this is a finding.

Vulnerability Number

V-88523

Documentable

False

Rule Version

VROM-SL-000535

Severity Override Guidance

Determine if Sendmail only binds to loopback addresses by examining the "DaemonPortOptions" configuration options.

# grep -i "O DaemonPortOptions" /etc/sendmail.cf

If there are uncommented "DaemonPortOptions" lines, and all such lines specify system loopback addresses, this is not a finding.

Otherwise, determine if "Sendmail" is configured to allow open relay operation.

# grep -i promiscuous_relay /etc/mail/sendmail.mc

If the promiscuous relay feature is enabled, this is a finding.

Check Content Reference

M

Target Key

3461

Comments