uk-bolly
commented
1 month ago hi @karlg100
Thanks for raising this issue, i am rewritting this section on how the authselect actually works, so you can pass it a profile you already have and it discovers any potential issues. Although standard it creates a backup bewfore any changes.
The problem is many people havnt moved to using authselect, so we are trying to cater for as many as possible. Please feel free to try out the new branch, should be there later today/ tomorrow morning and feedback see if thats an improvement on the way it works. The options in defaults main are greatly reduced.
many thanks
uk-bolly
I'm uncertain how to properly fix this other than create a new custom authselect profile, however modifying the password-auth and system-auth files is not the correct way.
https://github.com/ansible-lockdown/RHEL8-CIS/blob/bc4cdf885ce563ec9682caf65131bda9cb38277e/tasks/prelim.yml#L238
this task modifies the pam stack and then authselect check will fail and report tampering with the authentication stack. This is important for intrusion detection to detect when the pam stack is not configured to the profile.
this also breaks the ability for authselect to enable/disable features from other automation.