Uninstall Sendmail Package

An XCCDF Rule

Description

Sendmail is not the default mail transfer agent and is not installed by default. The sendmail package can be removed with the following command:

$ apt-get remove sendmail

Rationale

The sendmail software was not developed with security in mind and its design prevents it from being effectively contained by SELinux. Postfix should be used instead.

ID: xccdf_org.ssgproject.content_rule_package_sendmail_removed
Severity: Medium
References: 11 14 3 9

BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06

CCI-000381

4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3

SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6

A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2

CM-6(a) CM-7(a) CM-7(b)

PR.IP-1 PR.PT-3

SRG-OS-000095-GPOS-00049 SRG-OS-000480-GPOS-00227

R62
Updated: about 1 month ago

Remediation Templates

- name: Ensure sendmail is removed
  package:
    name: sendmail
    state: absent
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - disable_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - package_sendmail_removed

include remove_sendmail
class remove_sendmail {
  package { 'sendmail':
    ensure => 'purged',
  }
}

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# CAUTION: This remediation script will remove sendmail
#	   from the system, and may remove any packages
#	   that depend on sendmail. Execute this
#	   remediation AFTER testing on a non-production#	   system!

DEBIAN_FRONTEND=noninteractive apt-get remove -y "sendmail"

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Uninstall Sendmail Package

Description

Rationale

Remediation Templates

An Ansible Snippet

A Puppet Snippet

A Shell Script