{"description": "The file configuration option in PAM pam_tally2.so module defines where to keep counts.\nDefault is /var/log/tallylog. The configured directory must have the correct SELinux context.", "rationale": "Not having the correct SELinux context on the pam_tally2.so file may lead to\nunauthorized access to the directory.", "severity": "medium", "references": {"nist": ["AC-7 (a)"], "srg": ["SRG-OS-000021-GPOS-00005"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "the security context type of the non-default tally directory is not \"faillog_t\"", "ocil": "If the system does not have SELinux enabled and enforcing a targeted policy,\nor if the pam_tally2 module is not configured for use, this requirement is not applicable\n\nCheck the security context type of the default tally2 directory with the following command:\n\n$ sudo ls -Z /var/log/tallylog\n\nunconfined_u:object_r:faillog_t:s0 /var/log/faillock\n\nIf the security context type of the tally directory is not \"faillog_t\", this is a finding.", "oval_external_content": null, "fixtext": "Update the /etc/selinux/targeted/contexts/files/file_contexts.local with \"faillog_t\" context\ntype for the default pam_tally2 tally directory with the following command:\n\n$ sudo semanage fcontext -a -t faillog_t \"/var/log/tallylog\"\n\nNext, update the context type of the default tallylog directory/subdirectories and files with the following command:\n\n$ sudo restorecon -R -v /var/log/tallylog", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": "package[pam]", "platforms": ["package[pam]"], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": ["package_pam"], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "An SELinux Context must be configured for default pam_tally2 file option", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_file_selinux/rule.yml", "template": null}