SLEM 5 must use the default pam_tally2 tally directory.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-261366 | SRG-OS-000021-GPOS-00005 | SLEM-05-412030 | SV-261366r996837_rule | 2024-06-04 | 1 |
| Description |
|---|
| By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. SELinux, enforcing a targeted policy, will be required to match the default directory's security context type. |
| ℹ️ Check |
|---|
| Verify the location of the default tallylog file for the pam_tally2 module with the following command: Note: If the system does not have SELinux enabled and enforcing a targeted policy, or if the pam_tally2 module is not configured for use, this requirement is not applicable. > sudo grep -R pam_tally2 /etc/pam.d/login | grep "file=" | grep -v "^#" If the command returns any information, this is a finding. Check the security context type of the default tally2 directory with the following command: > sudo ls -Z /var/log/tallylog system_u:object_r:tallylog_t:s0 /var/log/tallylog If the security context type of the tally directory is not "tallylog_t", this is a finding. |
| ✔️ Fix |
|---|
| Configure SLEM 5 to use the default pam_tally2 tally directory while SELinux enforces a targeted policy. Remove the pam_tallly nondefault tally directory if any, by removing "file=[directory-name]" configuration part from /etc/pam.d/login: > sudo sed -ri 's/\s+file=\S+\s+/ /g' /etc/pam.d/login Update the /etc/selinux/targeted/contexts/files/file_contexts.local with "tallylog_t" context type for the default pam_tally2 tally directory with the following command: > sudo semanage fcontext -a -t tallylog_t "/var/log/tallylog" Next, update the context type of the default tallylog directory/subdirectories and files with the following command: > sudo restorecon -R -v /var/log/tallylog |