An SELinux Context must be configured for default pam_tally2 file option

An XCCDF Rule

Description

The file configuration option in PAM pam_tally2.so module defines where to keep counts. Default is /var/log/tallylog. The configured directory must have the correct SELinux context.

Rationale

Not having the correct SELinux context on the pam_tally2.so file may lead to unauthorized access to the directory.

ID: xccdf_org.ssgproject.content_rule_accounts_passwords_pam_tally2_file_selinux
Severity: Medium
References: CCI-000044

AC-7 (a)

SRG-OS-000021-GPOS-00005

SLEM-05-412030

SV-261366r996837_rule

CCE-94088-2
Updated: 18 days ago

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-94088-2
  - DISA-STIG-SLEM-05-412030  - NIST-800-53-AC-7 (a)
  - accounts_passwords_pam_tally2_file_selinux
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: An SELinux Context must be configured for default pam_tally2 file option -
    Set up SELinux context for /var/log/tallylog
  ansible.builtin.shell: |-
    if ! semanage fcontext -a -t faillog_t /var/log/tallylog; then
      semanage fcontext -m -t faillog_t /var/log/tallylog
    fi
  when: '"pam" in ansible_facts.packages'
  tags:
  - CCE-94088-2
  - DISA-STIG-SLEM-05-412030
  - NIST-800-53-AC-7 (a)
  - accounts_passwords_pam_tally2_file_selinux
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: An SELinux Context must be configured for default pam_tally2 file option -
    Restore SELinux context on /var/log/tallylog
  ansible.builtin.command: restorecon -R -v /var/log/tallylog
  when: '"pam" in ansible_facts.packages'
  tags:
  - CCE-94088-2
  - DISA-STIG-SLEM-05-412030
  - NIST-800-53-AC-7 (a)
  - accounts_passwords_pam_tally2_file_selinux
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

# Remediation is applicable only in certain platforms
if rpm --quiet -q pam; then

#!/bin/bash

if ! semanage fcontext -a -t faillog_t "/var/log/tallylog"; then    semanage fcontext -m -t faillog_t "/var/log/tallylog"
fi
restorecon -R -v "/var/log/tallylog"

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

An SELinux Context must be configured for default pam_tally2 file option

Description

Rationale

Remediation - Ansible

Remediation - Shell Script