AlmaLinux OS 9 must configure the appropriate SELinux context on the nondefault faillock tally directory.

An XCCDF Rule

Description

By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account. Not having the correct SELinux context on the faillock directory may lead to unauthorized access to the directory meaning that accounts could be unlocked by a nonadministrator.

ID: SV-269155r1050037_rule
Version: ALMA-09-008380
Severity: Medium
References: CCI-002238
Updated: about 2 months ago

Remediation Templates

Configure AlmaLinux OS 9 to allow the use of a nondefault faillock tally directory while SELinux enforces a targeted policy.

Create a nondefault faillock tally directory (if it does not already exist) using the following command:

$ mkdir /var/log/faillock
Update the /etc/selinux/targeted/contexts/files/file_contexts.local file with the "faillog_t" context type for the nondefault faillock tally directory using the following command:

$ semanage fcontext -a -t faillog_t "/var/log/faillock(/.*)?"

Update the context type of the nondefault faillock directory and files within using the following command:

$ restorecon -RFv /var/log/faillock

AlmaLinux OS 9 must configure the appropriate SELinux context on the nondefault faillock tally directory.

Description

Remediation Templates

A Manual Procedure