{"description": "The <tt>dir</tt> configuration option in PAM pam_faillock.so module defines where the lockout\nrecords is stored. The configured directory must have the correct SELinux context.", "rationale": "Not having the correct SELinux context on the pam_faillock.so records directory may lead to\nunauthorized access to the directory.", "severity": "medium", "references": {"nist": ["AC-7 (a)"], "srg": ["SRG-OS-000021-GPOS-00005"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "the security context type of the non-default tally directory is not \"faillog_t\"", "ocil": "If the system does not have SELinux enabled and enforcing a targeted policy, or if the\npam_faillock.so module is not configured for use, this requirement is not applicable.\n\nVerify the location of the non-default tally directory for the pam_faillock.so module with\nthe following command:\n\n$ sudo grep -w dir /etc/security/faillock.conf\n\ndir = /var/log/faillock\n\nCheck the security context type of the non-default tally directory with the following command:\n\n$ sudo ls -Zd /var/log/faillock\n\nunconfined_u:object_r:faillog_t:s0 /var/log/faillock", "oval_external_content": null, "fixtext": "Configure Ubuntu 22.04 to allow the use of a non-default faillock tally directory while SELinux enforces a targeted policy.\n\nCreate a non-default faillock tally directory (if it does not already exist) with the following example:\n\n$ sudo mkdir /var/log/faillock\n\nUpdate the /etc/selinux/targeted/contexts/files/file_contexts.local with \"faillog_t\" context type for the non-default faillock tally directory with the following command:\n\n$ sudo semanage fcontext -a -t faillog_t \"/var/log/faillock(/.*)?\"\n\nNext, update the context type of the non-default faillock directory/subdirectories and files with the following command:\n\n$ sudo restorecon -R -v /var/log/faillock", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 must configure SELinux context type to allow the use of a non-default faillock tally directory.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must configure SELinux context type to allow the use of a nondefault faillock tally directory.", "vuldiscussion": "Not having the correct SELinux context on the faillock directory may lead to unauthorized access to the directory.", "checktext": "Verify the location of the nondefault tally directory for the pam_faillock module with the following command:\n\nNote: If the system does not have SELinux enabled and enforcing a targeted policy, or if the pam_faillock module is not configured for use, this requirement is Not Applicable.\n\n$ sudo grep -w dir /etc/security/faillock.conf\n\ndir = /var/log/faillock\n\nCheck the security context type of the nondefault tally directory with the following command:\n\n$ ls -Zd /var/log/faillock\n\nunconfined_u:object_r:faillog_t:s0 /var/log/faillock\n\nIf the security context type of the nondefault tally directory is not \"faillog_t\", this is a finding.", "fixtext": "Configure Ubuntu 22.04 to allow the use of a nondefault faillock tally directory while SELinux enforces a targeted policy.\n\nFirst enable the feature using the following command:\n\n$ sudo authselect enable-feature with-faillock\n\nCreate a nondefault faillock tally directory (if it does not already exist) with the following example:\n\n$ sudo mkdir /var/log/faillock\n\nThen add/modify the \"/etc/security/faillock.conf\" file to match the following line:\n\ndir = /var/log/faillock\n\nUpdate the /etc/selinux/targeted/contexts/files/file_contexts.local with \"faillog_t\" context type for the nondefault faillock tally directory with the following command:\n\n$ sudo semanage fcontext -a -t faillog_t \"/var/log/faillock(/.*)?\"\n\nNext, update the context type of the nondefault faillock directory/subdirectories and files with the following command:\n\n$ sudo restorecon -R -v /var/log/faillock"}}, "platform": "system_with_kernel", "platforms": ["system_with_kernel"], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": ["system_with_kernel"], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "An SELinux Context must be configured for the pam_faillock.so records directory", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/account_password_selinux_faillock_dir/rule.yml", "template": null}