From 71d1b244cf6db505f68a76d5b7a2102fd09e53c8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Tue, 6 Jan 2026 13:33:22 +0100
Subject: [PATCH 1/2] Fix rule accounts_password_pam_pwhistory_use_authtok

The remediations shouldn't update the /etc/pam.d/system-auth and
/etc/pam.d/password-auth directly, it would conflict with authselect.
The remediations need to update the authselect profile instead,
and then let authselect to modify the files in /etc/pam.d/.
---
 .../ansible/shared.yml                        | 90 ++++++++++++++++++-
 .../bash/shared.sh                            | 18 +++-
 .../tests/rhel_correct.pass.sh                | 14 ++-
 .../tests/rhel_wrong.fail.sh                  | 14 ++-
 .../oval/shared.xml                           |  2 +-
 5 files changed, 129 insertions(+), 9 deletions(-)

diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_use_authtok/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_use_authtok/ansible/shared.yml
index 8fb16daeae7..68aac599888 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_use_authtok/ansible/shared.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_use_authtok/ansible/shared.yml
@@ -4,5 +4,91 @@
 # complexity = low
 # disruption = medium
 {{{ ansible_check_authselect_presence(rule_title=rule_title) }}}
-{{{ ansible_ensure_pam_module_option("/etc/pam.d/system-auth", "password", "required", "pam_pwhistory.so", "use_authtok", rule_id=rule_id, rule_title=rule_title) }}}
-{{{ ansible_ensure_pam_module_option("/etc/pam.d/password-auth", "password", "required", "pam_pwhistory.so", "use_authtok", rule_id=rule_id, rule_title=rule_title) }}}
+
+- name: '{{{ rule_title }}} - Ensure authselect custom profile is used if authselect is present'
+  block:
+    {{{ ansible_check_authselect_integrity(rule_title=rule_title) | indent(4) }}}
+
+    {{{ ansible_ensure_authselect_custom_profile(rule_title=rule_title) | indent(4) }}}
+  when:
+    - result_authselect_present.stat.exists
+
+- name: '{{{ rule_title }}} - Get authselect current profile'
+  ansible.builtin.shell:
+    cmd: authselect current -r | awk '{ print $1 }'
+  register: result_authselect_profile
+  changed_when: false
+  when:
+    - result_authselect_check_cmd is success
+
+- name: '{{{ rule_title }}} - Define the PAM profile path based on the authselect profile'
+  ansible.builtin.set_fact:
+    pam_profile_path: >-
+      {%- if result_authselect_profile.stdout is match("^custom/") -%}
+      /etc/authselect/{{ result_authselect_profile.stdout }}
+      {%- else -%}
+      /usr/share/authselect/default/{{ result_authselect_profile.stdout }}
+      {%- endif -%}
+  when:
+    - result_authselect_check_cmd is success
+    - result_authselect_profile is not skipped
+
+- name: '{{{ rule_title }}} - Check if "use_authtok" option is present in pam_pwhistory.so in {{{ pam_profile_path }}}/password-auth'
+  ansible.builtin.lineinfile:
+    path: "{{ pam_profile_path }}/password-auth"
+    regexp: '^\s*password\s+([^#\n\r]+)\s+pam_pwhistory\.so\s+([^#\n\r]+\s+)?use_authtok\b'
+    state: absent
+  check_mode: true
+  changed_when: false
+  register: result_pam_pwhistory_password_auth_option_present
+  when:
+    - result_authselect_check_cmd is success
+    - result_authselect_profile is not skipped
+    - pam_profile_path is defined
+
+- name: '{{{ rule_title }}} - Ensure "use_authtok" option is added to pam_pwhistory.so in {{{ pam_profile_path }}}/password-auth'
+  ansible.builtin.replace:
+    path: "{{ pam_profile_path }}/password-auth"
+    regexp: '(^\s*password\s+(requisite|required|sufficient)\s+pam_pwhistory\.so\s+.*)$'
+    replace: '\1 use_authtok'
+  register: result_pam_pwhistory_password_auth_add
+  when:
+    - result_authselect_check_cmd is success
+    - result_authselect_profile is not skipped
+    - pam_profile_path is defined
+    - result_pam_pwhistory_password_auth_option_present.found is defined
+    - result_pam_pwhistory_password_auth_option_present.found == 0
+
+- name: '{{{ rule_title }}} - Check if "use_authtok" option is present in pam_pwhistory.so in {{{ pam_profile_path }}}/system-auth'
+  ansible.builtin.lineinfile:
+    path: "{{ pam_profile_path }}/system-auth"
+    regexp: '^\s*password\s+([^#\n\r]+)\s+pam_pwhistory\.so\s+([^#\n\r]+\s+)?use_authtok\b'
+    state: absent
+  check_mode: true
+  changed_when: false
+  register: result_pam_pwhistory_system_auth_option_present
+  when:
+    - result_authselect_check_cmd is success
+    - result_authselect_profile is not skipped
+    - pam_profile_path is defined
+
+- name: '{{{ rule_title }}} - Ensure "use_authtok" option is added to pam_pwhistory.so in {{{ pam_profile_path }}}/system-auth'
+  ansible.builtin.replace:
+    path: "{{ pam_profile_path }}/system-auth"
+    regexp: '(^\s*password\s+(requisite|required|sufficient)\s+pam_pwhistory\.so\s+.*)$'
+    replace: '\1 use_authtok'
+  register: result_pam_pwhistory_system_auth_add
+  when:
+    - result_authselect_check_cmd is success
+    - result_authselect_profile is not skipped
+    - pam_profile_path is defined
+    - result_pam_pwhistory_system_auth_option_present.found is defined
+    - result_pam_pwhistory_system_auth_option_present.found == 0
+
+{{{ ansible_apply_authselect_changes(rule_title=rule_title) }}}
+  when:
+    - result_authselect_check_cmd is success
+    - result_authselect_profile is not skipped
+    - >-
+      (result_pam_pwhistory_password_auth_add is defined and result_pam_pwhistory_password_auth_add.changed)
+       or (result_pam_pwhistory_system_auth_add is defined and result_pam_pwhistory_system_auth_add.changed)
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_use_authtok/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_use_authtok/bash/shared.sh
index 1ef54f0815d..edf902ba844 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_use_authtok/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_use_authtok/bash/shared.sh
@@ -1,3 +1,17 @@
 # platform = multi_platform_rhel
-{{{ bash_ensure_pam_module_option("/etc/pam.d/system-auth", "password", "required", "pam_pwhistory.so", "use_authtok") }}}
-{{{ bash_ensure_pam_module_option("/etc/pam.d/password-auth", "password", "required", "pam_pwhistory.so", "use_authtok") }}}
+
+{{{ bash_ensure_authselect_custom_profile() }}}
+pam_profile="$(head -1 /etc/authselect/authselect.conf)"
+if grep -Pq -- '^custom\/' <<< "$pam_profile"; then
+    pam_profile_path="/etc/authselect/$pam_profile"
+else
+    pam_profile_path="/usr/share/authselect/default/$pam_profile"
+fi
+
+for authselect_file in "$pam_profile_path"/password-auth "$pam_profile_path"/system-auth; do
+    if ! grep -Pq '^\h*password\h+([^#\n\r]+)\h+pam_pwhistory\.so\h+([^#\n\r]+\h+)?use_authtok\b' "$authselect_file"; then
+        sed -ri 's/(^\s*password\s+(requisite|required|sufficient)\s+pam_pwhistory\.so\s+.*)$/& use_authtok/g' "$authselect_file"
+    fi
+done
+
+authselect apply-changes
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_use_authtok/tests/rhel_correct.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_use_authtok/tests/rhel_correct.pass.sh
index a0ee8ece704..cb88509ffb0 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_use_authtok/tests/rhel_correct.pass.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_use_authtok/tests/rhel_correct.pass.sh
@@ -1,4 +1,14 @@
 #!/bin/bash
 # platform = multi_platform_rhel
-{{{ bash_ensure_pam_module_option("/etc/pam.d/system-auth", "password", "required", "pam_pwhistory.so", "use_authtok") }}}
-{{{ bash_ensure_pam_module_option("/etc/pam.d/password-auth", "password", "required", "pam_pwhistory.so", "use_authtok") }}}
+authselect create-profile hardening -b sssd
+CUSTOM_PROFILE="custom/hardening"
+authselect select $CUSTOM_PROFILE --force
+authselect enable-feature with-pwhistory
+pam_profile_path="/etc/authselect/$CUSTOM_PROFILE"
+
+for authselect_file in "$pam_profile_path"/password-auth "$pam_profile_path"/system-auth; do
+    if grep -Pq '^\h*password\h+([^#\n\r]+)\h+pam_pwhistory\.so\h+([^#\n\r]+\h+)?use_authtok\b' "$authselect_file"; then
+        sed -ri 's/(^\s*password\s+(requisite|required|sufficient)\s+pam_pwhistory\.so\s+.*)$/& use_authtok/g' "$authselect_file"
+    fi
+done
+authselect apply-changes
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_use_authtok/tests/rhel_wrong.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_use_authtok/tests/rhel_wrong.fail.sh
index c184a3062bc..3f4b2ba8cf8 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_use_authtok/tests/rhel_wrong.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_use_authtok/tests/rhel_wrong.fail.sh
@@ -1,4 +1,14 @@
 #!/bin/bash
 # platform = multi_platform_rhel
-{{{ bash_ensure_pam_module_option("/etc/pam.d/system-auth", "password", "required", "pam_pwhistory.so", "remember") }}}
-{{{ bash_ensure_pam_module_option("/etc/pam.d/password-auth", "password", "required", "pam_pwhistory.so", "remember") }}}
+authselect create-profile hardening -b sssd
+CUSTOM_PROFILE="custom/hardening"
+authselect select $CUSTOM_PROFILE --force
+authselect enable-feature with-pwhistory
+pam_profile_path="/etc/authselect/$CUSTOM_PROFILE"
+
+for authselect_file in "$pam_profile_path"/password-auth "$pam_profile_path"/system-auth; do
+    if grep -Pq '^\h*password\h+([^#\n\r]+)\h+pam_pwhistory\.so\h+([^#\n\r]+\h+)?use_authtok\b' "$authselect_file"; then
+        sed -i 's/use_authtok//g' "$authselect_file"
+    fi
+done
+authselect apply-changes
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/oval/shared.xml
index c66d6b869d3..6e0d3019a28 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/oval/shared.xml
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/oval/shared.xml
@@ -1,4 +1,4 @@
-{{% if product == "rhel10" %}}
+{{% if "rhel" in product %}}
 {{%- set pam_files = ['/etc/pam.d/password-auth', '/etc/pam.d/system-auth'] -%}}
 {{% else %}}
 {{%- set pam_files = ['/etc/pam.d/common-password'] -%}}

From 44634a36a173cf89058e53905299c1c9561a8c06 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Wed, 7 Jan 2026 10:00:22 +0100
Subject: [PATCH 2/2] Fix test scenario

---
 .../tests/rhel_correct.pass.sh                               | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_use_authtok/tests/rhel_correct.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_use_authtok/tests/rhel_correct.pass.sh
index cb88509ffb0..8dfd4ece989 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_use_authtok/tests/rhel_correct.pass.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_use_authtok/tests/rhel_correct.pass.sh
@@ -1,5 +1,6 @@
 #!/bin/bash
 # platform = multi_platform_rhel
+
 authselect create-profile hardening -b sssd
 CUSTOM_PROFILE="custom/hardening"
 authselect select $CUSTOM_PROFILE --force
@@ -7,8 +8,6 @@ authselect enable-feature with-pwhistory
 pam_profile_path="/etc/authselect/$CUSTOM_PROFILE"
 
 for authselect_file in "$pam_profile_path"/password-auth "$pam_profile_path"/system-auth; do
-    if grep -Pq '^\h*password\h+([^#\n\r]+)\h+pam_pwhistory\.so\h+([^#\n\r]+\h+)?use_authtok\b' "$authselect_file"; then
-        sed -ri 's/(^\s*password\s+(requisite|required|sufficient)\s+pam_pwhistory\.so\s+.*)$/& use_authtok/g' "$authselect_file"
-    fi
+    sed -ri 's/(^\s*password\s+(requisite|required|sufficient)\s+pam_pwhistory\.so\s+.*)$/& use_authtok/g' "$authselect_file"
 done
 authselect apply-changes