Vulnerability Discussion

By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.

Not having the correct SELinux context on the faillock directory may lead to unauthorized access to the directory meaning that accounts could be unlocked by a nonadministrator.

Check

Note: If the system does not have SELinux enabled and enforcing, a targeted policy, or if the pam_faillock module is not configured for use, this requirement is Not Applicable.

Verify the location of the nondefault tally directory for the pam_faillock module with the following command:

$ grep "dir =" /etc/security/faillock.conf

dir = /var/log/faillock

Check the security context type of the nondefault tally directory with the following command:

$ ls -Zd /var/log/faillock

system_u:object_r:faillog_t:s0 /var/log/faillock

If the security context type of the nondefault tally directory is not "faillog_t", this is a finding.

Fix

Configure AlmaLinux OS 9 to allow the use of a nondefault faillock tally directory while SELinux enforces a targeted policy.

Create a nondefault faillock tally directory (if it does not already exist) using the following command:

$ mkdir /var/log/faillock

Update the /etc/selinux/targeted/contexts/files/file_contexts.local file with the "faillog_t" context type for the nondefault faillock tally directory using the following command:

$ semanage fcontext -a -t faillog_t "/var/log/faillock(/.*)?"

Update the context type of the nondefault faillock directory and files within using the following command:

$ restorecon -RFv /var/log/faillock