Rule ID
SV-269155r1050037_rule
Version
V1R6
CCIs
By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account. Not having the correct SELinux context on the faillock directory may lead to unauthorized access to the directory meaning that accounts could be unlocked by a nonadministrator.
Note: If the system does not have SELinux enabled and enforcing, a targeted policy, or if the pam_faillock module is not configured for use, this requirement is Not Applicable. Verify the location of the nondefault tally directory for the pam_faillock module with the following command: $ grep "dir =" /etc/security/faillock.conf dir = /var/log/faillock Check the security context type of the nondefault tally directory with the following command: $ ls -Zd /var/log/faillock system_u:object_r:faillog_t:s0 /var/log/faillock If the security context type of the nondefault tally directory is not "faillog_t", this is a finding.
Configure AlmaLinux OS 9 to allow the use of a nondefault faillock tally directory while SELinux enforces a targeted policy. Create a nondefault faillock tally directory (if it does not already exist) using the following command: $ mkdir /var/log/faillock Update the /etc/selinux/targeted/contexts/files/file_contexts.local file with the "faillog_t" context type for the nondefault faillock tally directory using the following command: $ semanage fcontext -a -t faillog_t "/var/log/faillock(/.*)?" Update the context type of the nondefault faillock directory and files within using the following command: $ restorecon -RFv /var/log/faillock