RHEL 9 must configure SELinux context type to allow the use of a nondefault faillock tally directory.

An XCCDF Rule

Description

Not having the correct SELinux context on the faillock directory may lead to unauthorized access to the directory.

ID: SV-258080r1045162_rule
Version: RHEL-09-431020
Severity: Medium
References: CCI-000044
Updated: about 2 months ago

Remediation Templates

Configure RHEL 9 to allow the use of a nondefault faillock tally directory while SELinux enforces a targeted policy. 

First enable the feature using the following command:
 
$ sudo authselect enable-feature with-faillock 
 Create a nondefault faillock tally directory (if it does not already exist) with the following example:

$ sudo mkdir /var/log/faillock

Then add/modify the "/etc/security/faillock.conf" file to match the following line:
 
dir = /var/log/faillock

Update the /etc/selinux/targeted/contexts/files/file_contexts.local with "faillog_t" context type for the nondefault faillock tally directory with the following command:

$ sudo semanage fcontext -a -t faillog_t "/var/log/faillock(/.*)?"

Next, update the context type of the nondefault faillock directory/subdirectories and files with the following command:

$ sudo restorecon -R -v /var/log/faillock

RHEL 9 must configure SELinux context type to allow the use of a nondefault faillock tally directory.

Description

Remediation Templates

A Manual Procedure