5.5.1 and others breaks authselect

[karlg100]

authselect is important for managing the pam stack, and for detecting modifications to the stack via authselect check for intrusion detection.

the proper way to modify the stack is a custom profile. I don't know the solution here other than mindpoint create an sssd derived authselect stack with all system-auth and *-auth stack modifications and add features. (perahps a PRELIM task)

then during the various tasks, enable/disable the feature and let authselect manage the stack.

https://github.com/ansible-lockdown/RHEL9-CIS/blob/cf4376f1f7f0aaf48d28511ecc0d840bbe70a1e2/tasks/section_5/cis_5.5.x.yml#L14C16-L14C84

[uk-bolly]

hi @karlg100

Thank you for your question, if you already have an existing custom solution you should be able to run with setting the variable rhel9cis_authselect_custom_profile_select: "yournamehere"

If you could let me know how you are running with the authselect options, this should work as expected when you create your own also. Maybe easier to chat on community discord https://lockdownenterprise.com/discord Be keen to find out if there is something more we could do here, PAM is always very specialist on different solutions.

Many thanks

uk-bolly