Title

RHEL 9 must configure SELinux context type to allow the use of a nondefault faillock tally directory. (Cat II impact)

Discussion

Not having the correct SELinux context on the faillock directory may lead to unauthorized access to the directory.

Check Content

Verify the location of the nondefault tally directory for the pam_faillock module with the following command: Note: If the system does not have SELinux enabled and enforcing a targeted policy, or if the pam_faillock module is not configured for use, this requirement is Not Applicable. $ grep 'dir =' /etc/security/faillock.conf dir = /var/log/faillock Check the security context type of the nondefault tally directory with the following command: $ ls -Zd /var/log/faillock unconfined_u:object_r:faillog_t:s0 /var/log/faillock If the security context type of the nondefault tally directory is not "faillog_t", this is a finding.

Fix Text

Configure RHEL 9 to allow the use of a nondefault faillock tally directory while SELinux enforces a targeted policy. Create a nondefault faillock tally directory (if it does not already exist) with the following example: $ sudo mkdir /var/log/faillock Update the /etc/selinux/targeted/contexts/files/file_contexts.local with "faillog_t" context type for the nondefault faillock tally directory with the following command: $ sudo semanage fcontext -a -t faillog_t "/var/log/faillock(/.*)?" Next, update the context type of the nondefault faillock directory/subdirectories and files with the following command: $ sudo restorecon -R -v /var/log/faillock

Additional Identifiers

Rule ID: SV-258080r926227_rule

Vulnerability ID: V-258080

Group Title: SRG-OS-000021-GPOS-00005

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.