SLEM 5 must use the default pam_tally2 tally directory.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-261366	SLEM-05-412030	SV-261366r996837_rule		Medium

Description
By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. SELinux, enforcing a targeted policy, will be required to match the default directory's security context type.

STIG	Date
SUSE Linux Enterprise Micro (SLEM) 5 Security Technical Implementation Guide	2024-06-04

Details

Check Text ( C-65095r996542_chk )
Verify the location of the default tallylog file for the pam_tally2 module with the following command: Note: If the system does not have SELinux enabled and enforcing a targeted policy, or if the pam_tally2 module is not configured for use, this requirement is not applicable. > sudo grep -R pam_tally2 /etc/pam.d/login \| grep "file=" \| grep -v "^#" If the command returns any information, this is a finding. Check the security context type of the default tally2 directory with the following command: > sudo ls -Z /var/log/tallylog system_u:object_r:tallylog_t:s0 /var/log/tallylog If the security context type of the tally directory is not "tallylog_t", this is a finding.

Check Text ( C-65095r996542_chk )

Verify the location of the default tallylog file for the pam_tally2 module with the following command:

Note: If the system does not have SELinux enabled and enforcing a targeted policy, or if the pam_tally2 module is not configured for use, this requirement is not applicable.

> sudo grep -R pam_tally2 /etc/pam.d/login | grep "file=" | grep -v "^#"

If the command returns any information, this is a finding.

Check the security context type of the default tally2 directory with the following command:

> sudo ls -Z /var/log/tallylog

system_u:object_r:tallylog_t:s0 /var/log/tallylog

If the security context type of the tally directory is not "tallylog_t", this is a finding.

Fix Text (F-65003r996837_fix)
Configure SLEM 5 to use the default pam_tally2 tally directory while SELinux enforces a targeted policy. Remove the pam_tallly nondefault tally directory if any, by removing "file=[directory-name]" configuration part from /etc/pam.d/login: > sudo sed -ri 's/\s+file=\S+\s+/ /g' /etc/pam.d/login Update the /etc/selinux/targeted/contexts/files/file_contexts.local with "tallylog_t" context type for the default pam_tally2 tally directory with the following command: > sudo semanage fcontext -a -t tallylog_t "/var/log/tallylog" Next, update the context type of the default tallylog directory/subdirectories and files with the following command: > sudo restorecon -R -v /var/log/tallylog

Fix Text (F-65003r996837_fix)

Configure SLEM 5 to use the default pam_tally2 tally directory while SELinux enforces a targeted policy.

Remove the pam_tallly nondefault tally directory if any, by removing "file=[directory-name]" configuration part from /etc/pam.d/login:

> sudo sed -ri 's/\s+file=\S+\s+/ /g' /etc/pam.d/login

Update the /etc/selinux/targeted/contexts/files/file_contexts.local with "tallylog_t" context type for the default pam_tally2 tally directory with the following command:

> sudo semanage fcontext -a -t tallylog_t "/var/log/tallylog"

Next, update the context type of the default tallylog directory/subdirectories and files with the following command:

> sudo restorecon -R -v /var/log/tallylog