7.13. Sendmail

# Sendmail LIDS rules (using infinite inheritance for the sendmail
# children and delivery agents to work properly, but a lower inheritance
# like 2 or 3 would probably work as well.)

# Lock down /etc/mail if it's not already done elseware
/sbin/lidsconf -A -o /etc/mail -j READONLY

/sbin/lidsconf -A -o /usr/sbin/sendmail -j READONLY
/sbin/lidsconf -A -s /usr/sbin/sendmail -o /etc/shadow -j READONLY -i -1
/sbin/lidsconf -A -s /usr/sbin/sendmail -o /etc/passwd -j READONLY -i -1
/sbin/lidsconf -A -s /usr/sbin/sendmail -o /etc/mail   -j READONLY -i -1
/sbin/lidsconf -A -s /usr/sbin/sendmail -o /etc/mail/aliases   -j WRITE -i -1
/sbin/lidsconf -A -s /usr/sbin/sendmail -o /etc/mail/aliases.db   -j WRITE -i -1
/sbin/lidsconf -A -s /usr/sbin/sendmail -o CAP_SETUID -j GRANT -i -1
/sbin/lidsconf -A -s /usr/sbin/sendmail -o CAP_SETGID -j GRANT -i -1
/sbin/lidsconf -A -s /usr/sbin/sendmail -o CAP_SYS_ADMIN -j GRANT -i -1
/sbin/lidsconf -A -s /usr/sbin/sendmail -o CAP_NET_BIND_SERVICE 25-25 -j GRANT -i -1

# Depending on how you have the log files secured
# (The maillog will normally get rotated out and this
# rule will stop working when that happens unless you
# stop the log rotation.)

/sbin/lidsconf -A -s /usr/sbin/sendmail -o /var/log/maillog -j APPEND -i -1