Detections
Analytics
RHEL-09-431020 - RHEL 9 must configure SELinux context type to allow the use of a nondefault faillock tally directory.
Information
Not having the correct SELinux context on the faillock directory may lead to unauthorized access to the directory.Solution
Configure RHEL 9 to allow the use of a nondefault faillock tally directory while SELinux enforces a targeted policy.First enable the feature using the following command:
$ sudo authselect enable-feature with-faillock
Create a nondefault faillock tally directory (if it does not already exist) with the following example:
$ sudo mkdir /var/log/faillock
Then add/modify the "/etc/security/faillock.conf" file to match the following line:
dir = /var/log/faillock
Update the /etc/selinux/targeted/contexts/files/file_contexts.local with "faillog_t" context type for the nondefault faillock tally directory with the following command:
$ sudo semanage fcontext -a -t faillog_t "/var/log/faillock(/.*)?"
Next, update the context type of the nondefault faillock directory/subdirectories and files with the following command:
$ sudo restorecon -R -v /var/log/faillock
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_9_V2R8_STIG.zip
Item Details
Audit Name: DISA Red Hat Enterprise Linux 9 STIG v2r8
Category: ACCESS CONTROL
References: 800-53|AC-7a., CAT|II, CCI|CCI-000044, Rule-ID|SV-258080r1045162_rule, STIG-ID|RHEL-09-431020, Vuln-ID|V-258080
Plugin: Unix
Control ID: b0158423d4590afdb6ec360ef52066ef6467a38133f336e404f58cb3985a62e9