SRG requires no .forward files. I currently do some data processing
on
automated emails via procmail configured in .forward in a dedicated
user. What is the best practice for configuring such?
In another career, I configured procmail as a mail delivery agent, thus avoiding
the .forward file entirely. Doing so introduces other problems so use at your own risk.
Regarding why the .forward file ban was not included in SSG, in
http://people.redhat.com/swells/scap-security-guide/RHEL6/output/table-rh...
there is the comment "The security argument is not apparent or salient." Do you
see the "no .forward files" requirement as impacting confidentiality, integrity,
or availability? The description from the RHEL5 STIG in the above link indicates it
potentially impacts confidentiality and availability. Are those indications sufficient
for addition to the SSG, perhaps with a low severity? Would "forward_path =
/dev/null" in /etc/postfix/main.cf be an adequate solution?
In a similar vein, should there be a "sendmail must not be installed" rule? ;-)
Thanks,
Leland
--
Leland Steinke, Security+
DISA FSO Technical Support Contractor
tapestry technologies, llc
717-267-5797 (DSN 570)
leland.j.steinke.ctr(a)mail.mil (gov't)
lsteinke(a)tapestrytech.com (com'l)