5.5.1 through 5.5.4 do not account for authselect

[numericillustration]

Describe the Issue Direct Editing of PAM files managed by authselect in section 5.5.1-4 causes any later use of authselect profiles to abort with an error due to the current live pam files having unexpected changes in them.

https://github.com/ansible-lockdown/RHEL9-CIS/blob/devel/tasks/section_5/cis_5.5.x.yml

$ sudo authselect select sssd with-mkhomedir
[error] [/etc/authselect/system-auth] has unexpected content!
[error] [/etc/authselect/password-auth] has unexpected content!
[error] Unexpected changes to the configuration were detected.
[error] Refusing to activate profile unless those changes are removed or overwrite is requested.

Some unexpected changes to the configuration were detected.
Use --force parameter if you want to overwrite these changes.

The files being edited are symlinks to the authselect versions

$ ls -alrt /etc/pam.d/
total 88
-rw-r--r--.  1 root root  322 Feb 15  2019 crond
-rw-r--r--.  1 root root  168 May 14  2022 passwd
-rw-r--r--.  1 root root  155 Apr 21  2023 polkit-1
-rw-r--r--   1 root root  214 Jun 23  2023 sssd-shadowutils
-rw-r--r--   1 root root  154 Oct 28 09:26 other
-rw-r--r--   1 root root  232 Oct 28 09:26 config-util
-rw-r--r--   1 root root   84 Oct 31 21:28 vlock
-rw-r--r--   1 root root  137 Nov  6 01:14 su-l
-rw-r--r--   1 root root  566 Nov  6 01:14 su
-rw-r--r--   1 root root  138 Nov  6 01:14 runuser-l
-rw-r--r--   1 root root  143 Nov  6 01:14 runuser
-rw-r--r--   1 root root  640 Nov  6 01:14 remote
-rw-r--r--   1 root root  676 Nov  6 01:14 login
-rw-r--r--   1 root root  910 Dec 12 15:47 cockpit
-rw-r--r--   1 root root  414 Jan 23 10:22 systemd-user
-rw-r--r--   1 root root  178 Feb 14 19:23 sudo-i
-rw-r--r--   1 root root  154 Feb 14 19:23 sudo
-rw-r--r--   1 root root  727 Mar  6 10:01 sshd
lrwxrwxrwx   1 root root   27 Mar 13 03:02 system-auth -> /etc/authselect/system-auth
lrwxrwxrwx   1 root root   30 Mar 13 03:02 smartcard-auth -> /etc/authselect/smartcard-auth
lrwxrwxrwx   1 root root   25 Mar 13 03:02 postlogin -> /etc/authselect/postlogin
lrwxrwxrwx   1 root root   29 Mar 13 03:02 password-auth -> /etc/authselect/password-auth
lrwxrwxrwx   1 root root   32 Mar 13 03:02 fingerprint-auth -> /etc/authselect/fingerprint-auth
drwxr-xr-x.  2 root root 4096 Mar 13 03:02 .
drwxr-xr-x. 97 root root 8192 Mar 14 19:24 ..

This is also different behavior than the way 5.4.1 operates regarding pam files and authselect. For the 5.4.1 edits, one either

• creates a custom profile, which then appropriately runs the authselect select <profile> directive
• sets the "ACCEPT" the risk flag for direct pam file editing when not using authselect.

Expected Behavior 5.5.1 - 5.5.4 would either use a custom authselect profile, or require a similar rhel9cis_5_4_2_risks == 'ACCEPT' type flag

Actual Behavior 5.5.1 though 5.5.4 directly edit pam files managed by authselect without telling authselect

Control(s) Affected 5.5.1 though 5.5.4

Environment (please complete the following information):

• branch being used: devel
• Ansible Version: [e.g. 2.10]
• Host Python Version: [e.g. Python 3.7.6]
• Ansible Server Python Version: [e.g. Python 3.7.6]
• Additional Details:

Additional Notes Anything additional goes here

Possible Solution Enter a suggested fix here

[georgenalen]

This has been merged into main for release on June 4th, 2024. Closing this ticket since fix is in release