RHEL 9 must configure SELinux context type to allow the use of a nondefault faillock tally directory.

STIG ID: RHEL-09-431020  |  SRG: SRG-OS-000021-GPOS-00005 |  Severity: medium |  CCI: CCI-000044 |  Vulnerability Id: V-258080 | 

Vulnerability Discussion

Not having the correct SELinux context on the faillock directory may lead to unauthorized access to the directory.

Check

Verify the location of the nondefault tally directory for the pam_faillock module with the following command:

Note: If the system does not have SELinux enabled and enforcing a targeted policy, or if the pam_faillock module is not configured for use, this requirement is Not Applicable.

$ grep 'dir =' /etc/security/faillock.conf

dir = /var/log/faillock

Check the security context type of the nondefault tally directory with the following command:

$ ls -Zd /var/log/faillock

unconfined_u:object_r:faillog_t:s0 /var/log/faillock

If the security context type of the nondefault tally directory is not "faillog_t", this is a finding.

Fix

Configure RHEL 9 to allow the use of a nondefault faillock tally directory while SELinux enforces a targeted policy.

Create a nondefault faillock tally directory (if it does not already exist) with the following example:

$ sudo mkdir /var/log/faillock

Update the /etc/selinux/targeted/contexts/files/file_contexts.local with "faillog_t" context type for the nondefault faillock tally directory with the following command:

$ sudo semanage fcontext -a -t faillog_t "/var/log/faillock(/.*)?"

Next, update the context type of the nondefault faillock directory/subdirectories and files with the following command:

$ sudo restorecon -R -v /var/log/faillock