> Are those
> indications sufficient for addition to the SSG, perhaps with a low
> severity?
For the security discussion (non-compliance) portion, it's certainly
worth including as a discussion point (and making available as a Rule
for parties who may have specific use cases where this might really
matter). For a baseline with a wide audience such as the STIG, I had
argued against inclusion. But if you feel that there's value in
enforcing this as a compliance check (which is to say, that the security
benefits outweigh the costs as part of maintaining the baseline as well
as of enforcement itself), please say so and throw a patch up to the list.
And this is why I'm interested in participating in this community, because it is way easier to make good arguments for risk acceptance or avoidance when the provenance of the requirements is known. I'm with Jeffery on this one, but good luck getting this past anyone who is used to the old rules, or is simply applying the RHEL 5 profile to RHEL 6. Grr.
I'm also in favor of postfix, although we never did get the RHEL 5 CIS benchmark to recommend deprecation of sendmail.
Andrew