mediumaccess-controlunverified
Ensure the faillock directory has the faillog_t SELinux context (RHEL 8.0-8.1)
faillock-selinux-context-legacy · RHEL ≥ 8 · 1 impl
Description
On RHEL 8.0-8.1, when a non-default pam_faillock tally directory is used it must carry the faillog_t SELinux type. On RHEL 8.2+ this is superseded and the control is not applicable.
Rationale
An incorrect SELinux label on the tally directory can prevent faillock from recording failed attempts, defeating account lockout.
Check → Remediate
Checkcommand
minor=$(. /etc/os-release 2>/dev/null; echo "${VERSION_ID#*.}")
case "$minor" in
''|*[!0-9]*) minor=99 ;;
esac
if [ "$minor" -ge 2 ] 2>/dev/null; then
echo "NOT APPLICABLE: RHEL 8.$minor (see faillock-selinux-context)"
exit 0
fi
command -v getenforce >/dev/null 2>&1 && [ "$(getenforce 2>/dev/null)" != "Disabled" ] || { echo "NOT APPLICABLE: SELinux disabled"; exit 0; }
dir=$(grep -hoE 'dir=[^ ]+' /etc/pam.d/password-auth 2>/dev/null | head -1 | cut -d= -f2)
dir=${dir:-/var/log/faillock}
ctx=$(ls -Zd "$dir" 2>/dev/null | grep -oE 'faillog_t')
if [ -n "$ctx" ]; then echo "OK: $dir has faillog_t context"; exit 0; fi
echo "FAIL: $dir does not have the faillog_t SELinux type"
exit 1
- expected_exit:
- 0
Remediatemanual
- note:
- semanage fcontext -a -t faillog_t "<dir>(/.*)?" && restorecon -R -v <dir>
Framework references
STIG
V-250316 / RHEL-08-020028
NIST 800-53
AC-7
#faillock#selinux#faillog_t#legacy#stig