ComplianceAsCode · Mab879 · Apr 17, 2026 · Apr 1, 2026 · Apr 1, 2026 · Apr 1, 2026
diff --git a/controls/hipaa.yml b/controls/hipaa.yml
@@ -50,7 +50,7 @@
    - id: 164.308(a)(1)(ii)(D)
      title: 'Information system activity review'
      description: |-
          Implement procedures to regularly review records of information system activity, such as audit logs, access
          reports, and security incident tracking reports.
      levels:
          - required
@@ -179,10 +179,10 @@

    - id: 164.308(a)(3)
      title: 'Workforce security'
      description: Implement policies and procedures to ensure that all members of its workforce have
          appropriate access to electronic protected health information, as provided under paragraph
          (a)(4) of this section, and to prevent those workforce members who do not have access under
          paragraph (a)(4) of this section from obtaining access to electronic protected health information.
      levels:
          - base
      rules:
@@ -204,7 +204,7 @@
    - id: 164.308(a)(3)(i)
      title: 'Standard: Workforce security'
      description: |-
          Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, as provided under paragraph (a)(4) of this section, and to prevent those workforce members who do not have access under paragraph (a)(4) of this section from obtaining access to electronic protected health information.
      levels:
          - addressable
      rules:
@@ -215,8 +215,8 @@

    - id: 164.308(a)(3)(ii)(A)
      title: 'Authorization and/or supervision (Addressable)'
      description: 'Implement procedures for the authorization and/or supervision of workforce members
          who work with electronic protected health information or in locations where it might be accessed.'
      levels:
          - required
      rules:
@@ -514,8 +514,8 @@
    - id: 164.308(a)(6)(ii)
      title: 'Response and reporting'
      description: |-
          Identify and respond to suspected or known security incidents; mitigate, to the extent practicable,
          harmful effects of security incidents that are known to the covered entity or business associate; and
          document security incidents and their outcomes.
      levels:
          - required
@@ -1248,6 +1248,7 @@
           - auditd_data_retention_max_log_file_action
           - auditd_data_retention_max_log_file_action_stig
           - auditd_data_retention_space_left_action
+          - package_postfix_installed
           - package_rsyslog_installed
           - service_rsyslog_enabled
           - partition_for_var_log_audit

diff --git a/controls/pcidss_3.yml b/controls/pcidss_3.yml
@@ -2130,6 +2130,7 @@ controls:
           - auditd_data_retention_space_left
           - auditd_data_retention_admin_space_left_action
           - auditd_data_retention_action_mail_acct
+          - package_postfix_installed
 
     - id: Req-10.8
       title: 10.8 Ensure that security policies and operational procedures for monitoring all access

diff --git a/controls/pcidss_4.yml b/controls/pcidss_4.yml
@@ -2967,6 +2967,7 @@ controls:
                 - auditd_data_retention_admin_space_left_action
                 - auditd_data_retention_space_left
                 - auditd_data_retention_space_left_action
+                - package_postfix_installed
                 - package_logrotate_installed
                 - timer_logrotate_enabled
             related_rules:

diff --git a/controls/srg_gpos/SRG-OS-000046-GPOS-00022.yml b/controls/srg_gpos/SRG-OS-000046-GPOS-00022.yml
@@ -5,6 +5,7 @@ controls:
         title: {{{ full_name }}} must alert the ISSO and SA (at a minimum) in the event
             of an audit processing failure.
         rules:
+            - package_postfix_installed
             - postfix_client_configure_mail_alias
             - postfix_client_configure_mail_alias_postmaster
             - var_postfix_root_mail_alias=mil_sysadmin

diff --git a/linux_os/guide/services/mail/package_postfix_installed/rule.yml b/linux_os/guide/services/mail/package_postfix_installed/rule.yml
@@ -15,6 +15,7 @@ severity: medium
 identifiers:
     cce@rhel8: CCE-85983-5
     cce@rhel9: CCE-85984-3
+    cce@rhel10: CCE-86466-0
 
 references:
     srg: SRG-OS-000046-GPOS-00022

@@ -2621,8 +2621,11 @@ controls:
           - l2_workstation
       status: automated
       rules:
+          - auditd_data_retention_action_mail_acct
           - auditd_data_retention_admin_space_left_action
           - auditd_data_retention_space_left_action
+          - package_postfix_installed
+          - var_auditd_action_mail_acct=root
           - var_auditd_admin_space_left_action=cis_rhel10
           - var_auditd_space_left_action=cis_rhel10
 

@@ -2560,6 +2560,7 @@ controls:
           - auditd_data_retention_action_mail_acct
           - auditd_data_retention_admin_space_left_action
           - auditd_data_retention_space_left_action
+          - package_postfix_installed
           - var_auditd_action_mail_acct=root
           - var_auditd_admin_space_left_action=cis_rhel9
           - var_auditd_space_left_action=cis_rhel9

@@ -33,7 +33,6 @@ selections:
     - sudo_vdsm_nopasswd
     - ntpd_configure_restrictions
     - fapolicyd_prevent_home_folder_access
-    - package_postfix_installed
     - audit_privileged_commands_poweroff
     - accounts_password_pam_unix_rounds_password_auth
     - sudoers_no_root_target

@@ -95,6 +95,7 @@ selections:
     -  '!use_pam_wheel_for_su'
     -  use_pam_wheel_group_for_su
     -  var_pam_wheel_group_for_su=cis
+    - '!package_postfix_installed'
     # Following rules once had a prodtype incompatible with the sle12 product
     - '!set_firewalld_default_zone'
     - '!accounts_password_pam_dcredit'

@@ -17,6 +17,7 @@ selections:
     - sshd_approved_ciphers=cis_sle12
     - var_multiple_time_servers=suse
     - var_multiple_time_pools=suse
+    - '!package_postfix_installed'
 # Exclude from PCI DISS profile all rules related to ntp and timesyncd and keep only
 # rules related to chrony
     - '!ntpd_specify_multiple_servers'

@@ -27,7 +27,6 @@ selections:
     - sudo_vdsm_nopasswd
     - package_mcstrans_removed
     - fapolicyd_prevent_home_folder_access
-    - package_postfix_installed
     - accounts_password_pam_unix_rounds_password_auth
     - audit_privileged_commands_poweroff
     - configure_etc_hosts_deny

@@ -20,6 +20,7 @@ selections:
     - var_multiple_time_servers=suse
     - var_multiple_time_pools=suse
     - audit_rules_enable_syscall_auditing
+    - '!package_postfix_installed'
 # Exclude from PCI DISS profile all rules related to ntp and timesyncd and keep only
 # rules related to chrony
     - '!ntpd_specify_multiple_servers'

diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
@@ -1,4 +1,3 @@
-CCE-86466-0
 CCE-86468-6
 CCE-86482-7
 CCE-86483-5

@@ -116,6 +116,7 @@ audit_rules_usergroup_modification_shadow
 audit_sudo_log_events
 auditd_data_disk_error_action
 auditd_data_disk_full_action
+auditd_data_retention_action_mail_acct
 auditd_data_retention_admin_space_left_action
 auditd_data_retention_max_log_file
 auditd_data_retention_max_log_file_action
@@ -336,6 +337,7 @@ package_net-snmp_removed
 package_nginx_removed
 package_openldap-clients_removed
 package_pam_pwquality_installed
+package_postfix_installed
 package_rsync_removed
 package_samba_removed
 package_setroubleshoot_removed
@@ -469,6 +471,7 @@ var_accounts_passwords_pam_faillock_unlock_time=900
 var_accounts_tmout=15_min
 var_accounts_user_umask=027
 var_audit_backlog_limit=8192
+var_auditd_action_mail_acct=root
 var_auditd_admin_space_left_action=cis_rhel10
 var_auditd_disk_error_action=cis_rhel10
 var_auditd_disk_full_action=cis_rhel10

@@ -116,6 +116,7 @@ audit_rules_usergroup_modification_shadow
 audit_sudo_log_events
 auditd_data_disk_error_action
 auditd_data_disk_full_action
+auditd_data_retention_action_mail_acct
 auditd_data_retention_admin_space_left_action
 auditd_data_retention_max_log_file
 auditd_data_retention_max_log_file_action
@@ -335,6 +336,7 @@ package_net-snmp_removed
 package_nginx_removed
 package_openldap-clients_removed
 package_pam_pwquality_installed
+package_postfix_installed
 package_rsync_removed
 package_samba_removed
 package_squid_removed
@@ -465,6 +467,7 @@ var_accounts_passwords_pam_faillock_unlock_time=900
 var_accounts_tmout=15_min
 var_accounts_user_umask=027
 var_audit_backlog_limit=8192
+var_auditd_action_mail_acct=root
 var_auditd_admin_space_left_action=cis_rhel10
 var_auditd_disk_error_action=cis_rhel10
 var_auditd_disk_full_action=cis_rhel10

@@ -118,6 +118,7 @@ no_direct_root_logins
 no_empty_passwords
 package_audit_installed
 package_cron_installed
+package_postfix_installed
 package_rsyslog_installed
 package_sequoia-sq_installed
 package_telnet-server_removed

@@ -189,6 +189,7 @@ package_libselinux_installed
 package_logrotate_installed
 package_net-snmp_removed
 package_nftables_installed
+package_postfix_installed
 package_sequoia-sq_installed
 package_sudo_installed
 package_telnet-server_removed

@@ -380,6 +380,7 @@ package_pcsc-lite-ccid_installed
 package_pcsc-lite_installed
 package_policycoreutils-python-utils_installed
 package_policycoreutils_installed
+package_postfix_installed
 package_rsyslog-gnutls_installed
 package_rsyslog_installed
 package_s-nail_installed

@@ -377,6 +377,7 @@ package_pcsc-lite-ccid_installed
 package_pcsc-lite_installed
 package_policycoreutils-python-utils_installed
 package_policycoreutils_installed
+package_postfix_installed
 package_rsyslog-gnutls_installed
 package_rsyslog_installed
 package_s-nail_installed

@@ -94,6 +94,7 @@ libreswan_approved_tunnels
 no_direct_root_logins
 no_empty_passwords
 no_rsh_trust_files
+package_postfix_installed
 package_telnet-server_removed
 package_telnet_removed
 package_xinetd_removed

@@ -190,6 +190,7 @@ package_libselinux_installed
 package_logrotate_installed
 package_net-snmp_removed
 package_nftables_installed
+package_postfix_installed
 package_sudo_installed
 package_telnet-server_removed
 package_telnet_removed

@@ -306,6 +306,7 @@ package_nftables_installed
 package_nginx_removed
 package_openldap-clients_removed
 package_pam_pwquality_installed
+package_postfix_installed
 package_rsync_removed
 package_samba_removed
 package_setroubleshoot_removed

@@ -305,6 +305,7 @@ package_nftables_installed
 package_nginx_removed
 package_openldap-clients_removed
 package_pam_pwquality_installed
+package_postfix_installed
 package_rsync_removed
 package_samba_removed
 package_squid_removed

@@ -93,6 +93,7 @@ no_direct_root_logins
 no_empty_passwords
 no_rsh_trust_files
 package_cron_installed
+package_postfix_installed
 package_telnet-server_removed
 package_telnet_removed
 require_singleuser_auth

@@ -188,6 +188,7 @@ package_libselinux_installed
 package_logrotate_installed
 package_net-snmp_removed
 package_nftables_installed
+package_postfix_installed
 package_sudo_installed
 package_telnet-server_removed
 package_telnet_removed