Detections
Analytics

1.301 RHEL-09-431020

Information

RHEL 9 must configure SELinux context type to allow the use of a nondefault faillock tally directory.

GROUP ID: V-258080
RULE ID: SV-258080r1045162

Not having the correct SELinux context on the faillock directory may lead to unauthorized access to the directory.

Solution

Configure RHEL 9 to allow the use of a nondefault faillock tally directory while SELinux enforces a targeted policy.

First enable the feature using the following command:

$ sudo authselect enable-feature with-faillock

Create a nondefault faillock tally directory (if it does not already exist) with the following example:

$ sudo mkdir /var/log/faillock

Then add/modify the "/etc/security/faillock.conf" file to match the following line:

dir = /var/log/faillock

Update the /etc/selinux/targeted/contexts/files/file_contexts.local with "faillog_t" context type for the nondefault faillock tally directory with the following command:

$ sudo semanage fcontext -a -t faillog_t "/var/log/faillock(/.*)?"

Next, update the context type of the nondefault faillock directory/subdirectories and files with the following command:

$ sudo restorecon -R -v /var/log/faillock

See Also

https://workbench.cisecurity.org/benchmarks/22008

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-7a., CAT|II, CCI|CCI-000044, Rule-ID|SV-258080r1045162_rule, STIG-ID|RHEL-09-431020, Vuln-ID|V-258080

Plugin: Unix

Control ID: b33b07423fc6d6839b9a3345ee45d0b031e2a527e63729b5ee1f0cd73f7da90e