# Sendmail LIDS rules (using infinite inheritance for the sendmail # children and delivery agents to work properly, but a lower inheritance # like 2 or 3 would probably work as well.) # Lock down /etc/mail if it's not already done elseware /sbin/lidsconf -A -o /etc/mail -j READONLY /sbin/lidsconf -A -o /usr/sbin/sendmail -j READONLY /sbin/lidsconf -A -s /usr/sbin/sendmail -o /etc/shadow -j READONLY -i -1 /sbin/lidsconf -A -s /usr/sbin/sendmail -o /etc/passwd -j READONLY -i -1 /sbin/lidsconf -A -s /usr/sbin/sendmail -o /etc/mail -j READONLY -i -1 /sbin/lidsconf -A -s /usr/sbin/sendmail -o /etc/mail/aliases -j WRITE -i -1 /sbin/lidsconf -A -s /usr/sbin/sendmail -o /etc/mail/aliases.db -j WRITE -i -1 /sbin/lidsconf -A -s /usr/sbin/sendmail -o CAP_SETUID -j GRANT -i -1 /sbin/lidsconf -A -s /usr/sbin/sendmail -o CAP_SETGID -j GRANT -i -1 /sbin/lidsconf -A -s /usr/sbin/sendmail -o CAP_SYS_ADMIN -j GRANT -i -1 /sbin/lidsconf -A -s /usr/sbin/sendmail -o CAP_NET_BIND_SERVICE 25-25 -j GRANT -i -1 # Depending on how you have the log files secured # (The maillog will normally get rotated out and this # rule will stop working when that happens unless you # stop the log rotation.) /sbin/lidsconf -A -s /usr/sbin/sendmail -o /var/log/maillog -j APPEND -i -1 |