← Rules Catalog
mediumaccess-controlunverified

Ensure the faillock directory has the faillog_t SELinux context (RHEL 8.0-8.1)

faillock-selinux-context-legacy · RHEL ≥ 8 · 1 impl

Description

On RHEL 8.0-8.1, when a non-default pam_faillock tally directory is used it must carry the faillog_t SELinux type. On RHEL 8.2+ this is superseded and the control is not applicable.

Rationale

An incorrect SELinux label on the tally directory can prevent faillock from recording failed attempts, defeating account lockout.

Check → Remediate

Checkcommand
minor=$(. /etc/os-release 2>/dev/null; echo "${VERSION_ID#*.}")
case "$minor" in
  ''|*[!0-9]*) minor=99 ;;
esac
if [ "$minor" -ge 2 ] 2>/dev/null; then
  echo "NOT APPLICABLE: RHEL 8.$minor (see faillock-selinux-context)"
  exit 0
fi
command -v getenforce >/dev/null 2>&1 && [ "$(getenforce 2>/dev/null)" != "Disabled" ] || { echo "NOT APPLICABLE: SELinux disabled"; exit 0; }
dir=$(grep -hoE 'dir=[^ ]+' /etc/pam.d/password-auth 2>/dev/null | head -1 | cut -d= -f2)
dir=${dir:-/var/log/faillock}
ctx=$(ls -Zd "$dir" 2>/dev/null | grep -oE 'faillog_t')
if [ -n "$ctx" ]; then echo "OK: $dir has faillog_t context"; exit 0; fi
echo "FAIL: $dir does not have the faillog_t SELinux type"
exit 1
expected_exit:
0
Remediatemanual
note:
semanage fcontext -a -t faillog_t "<dir>(/.*)?" && restorecon -R -v <dir>

Framework references

STIG

V-250316 / RHEL-08-020028

NIST 800-53

AC-7
#faillock#selinux#faillog_t#legacy#stig