An SELinux Context must be configured for the pam_faillock.so records directory

An XCCDF Rule

Description

The dir configuration option in PAM pam_faillock.so module defines where the lockout records is stored. The configured directory must have the correct SELinux context.

Rationale

Not having the correct SELinux context on the pam_faillock.so records directory may lead to unauthorized access to the directory.

ID: xccdf_org.ssgproject.content_rule_account_password_selinux_faillock_dir
Severity: Medium
References: CCI-000044

AC-7 (a)

SRG-OS-000021-GPOS-00005

SV-250315r854079_rule SV-250316r854080_rule
Updated: about 1 year ago

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

#!/bin/bash

FAILLOCK_CONF_FILES="/etc/security/faillock.conf /etc/pam.d/system-auth /etc/pam.d/password-auth"faillock_dirs=$(grep -oP "^\s*(?:auth.*pam_faillock.so.*)?dir\s*=\s*(\S+)" $FAILLOCK_CONF_FILES \
               | sed -r 's/.*=\s*(\S+)/\1/')

if [ -n "$faillock_dirs" ]; then
    for dir in $faillock_dirs; do
        if ! semanage fcontext -a -t faillog_t "$dir(/.*)?"; then
            semanage fcontext -m -t faillog_t "$dir(/.*)?"
        fi
        if [ ! -e $dir ]; then
            mkdir -p $dir
        fi
        restorecon -R -v $dir
    done
else
echo "
The pam_faillock.so dir option is not set in the system.
If this is not expected, make sure pam_faillock.so is properly configured."
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

An SELinux Context must be configured for the pam_faillock.so records directory

Description

Rationale

Remediation - Shell Script