Detections
Analytics
RHEL-10-700430 - RHEL 10 must configure SELinux context type to allow the use of a nondefault faillock tally directory.
Information
Not having the correct SELinux context on the faillock directory may lead to unauthorized access to the directory.Solution
Configure RHEL 10 to allow the use of a nondefault faillock tally directory while SELinux enforces a targeted policy.Enable the feature using the following command:
$ sudo authselect enable-feature with-faillock
Create a nondefault faillock tally directory (if it does not already exist) with the following example:
$ sudo mkdir /var/log/faillock
Add/modify the "/etc/security/faillock.conf" file to match the following line:
dir = /var/log/faillock
Update "/etc/selinux/targeted/contexts/files/file_contexts.local" with "faillog_t" context type for the nondefault faillock tally directory with the following command:
$ sudo semanage fcontext -a -t faillog_t "/var/log/faillock(/.*)?"
Update the context type of the nondefault faillock directory/subdirectories and files with the following command:
$ sudo restorecon -R -v /var/log/faillock
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_10_V1R1_STIG.zip
Item Details
Audit Name: DISA Red Hat Enterprise Linux 10 STIG v1r1
Category: ACCESS CONTROL
References: 800-53|AC-7a., CAT|II, CCI|CCI-000044, Rule-ID|SV-281252r1166708_rule, STIG-ID|RHEL-10-700430, Vuln-ID|V-281252
Plugin: Unix
Control ID: 3d21b4a0da60577dec8c4400e34cbec1aab17aa2723de48e03bd4c67e0e575b3