An SELinux Context must be configured for the pam_faillock.so records directory

An XCCDF Rule

Description

The dir configuration option in PAM pam_faillock.so module defines where the lockout records is stored. The configured directory must have the correct SELinux context.

Rationale

Not having the correct SELinux context on the pam_faillock.so records directory may lead to unauthorized access to the directory.

ID: xccdf_org.ssgproject.content_rule_account_password_selinux_faillock_dir
Severity: Medium
References: CCI-000044

AC-7 (a)

SRG-OS-000021-GPOS-00005

SV-258080r926227_rule
Updated: over 1 year ago

- name: An SELinux Context must be configured for the pam_faillock.so records directory
    - Get directories from faillock
  ansible.builtin.shell: grep -oP '^\s*(?:auth.*pam_faillock.so.*)?dir\s*=\s*(\S+)'
    "{{ item }}" | sed -r 's/.*=\s*(\S+)/\1/'
  register: faillock_output
  with_items:  - /etc/security/faillock.conf
  - /etc/pam.d/system-auth
  - /etc/pam.d/password-auth
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - DISA-STIG-RHEL-09-431020
  - NIST-800-53-AC-7 (a)
  - account_password_selinux_faillock_dir
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: An SELinux Context must be configured for the pam_faillock.so records directory
    - Create a list directories from faillock
  ansible.builtin.set_fact:
    list_faillock_dir: '{{ faillock_output.results | map(attribute=''stdout_lines'')
      | flatten }}'
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - DISA-STIG-RHEL-09-431020
  - NIST-800-53-AC-7 (a)
  - account_password_selinux_faillock_dir
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: An SELinux Context must be configured for the pam_faillock.so records directory
    - Create directories for faillock
  ansible.builtin.file:
    path: '{{ item }}'
    state: directory
  with_items: '{{ list_faillock_dir }}'
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - item != ""
  tags:
  - DISA-STIG-RHEL-09-431020
  - NIST-800-53-AC-7 (a)
  - account_password_selinux_faillock_dir
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: An SELinux Context must be configured for the pam_faillock.so records directory
    - Set up SELinux context for faillock
  ansible.builtin.shell: |-
    if ! semanage fcontext -a -t faillog_t "{{ item }}(/.*)?"; then
      semanage fcontext -m -t faillog_t "{{ item }}(/.*)?"
    fi
  with_items: '{{ list_faillock_dir }}'
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - item != ""
  tags:
  - DISA-STIG-RHEL-09-431020
  - NIST-800-53-AC-7 (a)
  - account_password_selinux_faillock_dir
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: An SELinux Context must be configured for the pam_faillock.so records directory
    - Restore SELinux context
  ansible.builtin.command: restorecon -R -v "{{ item }}"
  with_items: '{{ list_faillock_dir }}'
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - item != ""
  tags:
  - DISA-STIG-RHEL-09-431020
  - NIST-800-53-AC-7 (a)
  - account_password_selinux_faillock_dir
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: An SELinux Context must be configured for the pam_faillock.so records directory
    - Verify pam_faillock.so configuration
  ansible.builtin.debug:
    msg: |-
      "The pam_faillock.so dir option is not set in the system.
      If this is not expected, make sure pam_faillock.so is properly configured."
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - list_faillock_dir | length == 0
  tags:
  - DISA-STIG-RHEL-09-431020
  - NIST-800-53-AC-7 (a)
  - account_password_selinux_faillock_dir
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

#!/bin/bash

FAILLOCK_CONF_FILES="/etc/security/faillock.conf /etc/pam.d/system-auth /etc/pam.d/password-auth"faillock_dirs=$(grep -oP "^\s*(?:auth.*pam_faillock.so.*)?dir\s*=\s*(\S+)" $FAILLOCK_CONF_FILES \
               | sed -r 's/.*=\s*(\S+)/\1/')

if [ -n "$faillock_dirs" ]; then
    for dir in $faillock_dirs; do
        if ! semanage fcontext -a -t faillog_t "$dir(/.*)?"; then
            semanage fcontext -m -t faillog_t "$dir(/.*)?"
        fi
        if [ ! -e $dir ]; then
            mkdir -p $dir
        fi
        restorecon -R -v $dir
    done
else
echo "
The pam_faillock.so dir option is not set in the system.
If this is not expected, make sure pam_faillock.so is properly configured."
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

An SELinux Context must be configured for the pam_faillock.so records directory

Description

Rationale

Remediation - Ansible

Remediation - Shell Script