Skip to content

New rule accounts_password_pam_modules_in_authselect_profile #14279

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
jan-cerny wants to merge 3 commits into
base: master
Choose a base branch
from
Draft

New rule accounts_password_pam_modules_in_authselect_profile #14279

jan-cerny wants to merge 3 commits into from
+603 −29

Conversation

@jan-cerny
Copy link
Collaborator

@jan-cerny jan-cerny commented Jan 7, 2026
edited
Loading

This PR adds new rule accounts_password_pam_modules_in_authselect_profile. This rule implements CIS requirement "Ensure active authselect profile includes pam modules". This requirement is a part of RHEL 8, 9 and 10 CIS. The rule is added to all profiles.

The rule doesn't check PAM configuration in /etc/pam.d/system-auth or password-auth. Instead, it checks the authselect template contents in /etc/authselect.

Resolves: https://issues.redhat.com/browse/OPENSCAP-6093

@jan-cerny jan-cerny added this to the 0.1.80 milestone Jan 7, 2026
@jan-cerny jan-cerny added New Rule Issues or pull requests related to new Rules. CIS CIS Benchmark related. RHEL10 Red Hat Enterprise Linux 10 product related. labels Jan 7, 2026
@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Used by openshift-ci bot. label Jan 7, 2026
@openshift-ci
Copy link

openshift-ci bot commented Jan 7, 2026

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@github-actions
Copy link

github-actions bot commented Jan 7, 2026
edited
Loading

ATEX Test Results

Test artifacts have been submitted to Testing Farm.

Results: View Test Results
Workflow Run: View Workflow Details

This comment was automatically generated by the ATEX workflow.

@jan-cerny
New rule accounts_password_pam_modules_in_authselect_profile
d5d9394 
This rule implements CIS RHEL 10 Benchmark v1.0.1 requirement
5.3.2.1 - Ensure active authselect profile includes pam modules.

Resolves: https://issues.redhat.com/browse/OPENSCAP-6093
@jan-cerny
Use command module instead of shell module
f53674d
@jan-cerny
Add rule to other CIS profiles
5213a55 
Add the new rule accounts_password_pam_modules_in_authselect_profile
also to RHEL 8, RHEL 9, and Fedora CIS profiles, because these
benchmarks contain the same requirement as RHEL 10 CIS.
@jan-cerny jan-cerny force-pushed the authselect_template branch from 179fed3 to 5213a55 Compare January 9, 2026 08:51
@jan-cerny jan-cerny added RHEL8 Red Hat Enterprise Linux 8 product related. RHEL9 Red Hat Enterprise Linux 9 product related. labels Jan 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@matusmarhefka matusmarhefka Awaiting requested review from matusmarhefka matusmarhefka will be requested when the pull request is marked ready for review matusmarhefka is a code owner

@Mab879 Mab879 Awaiting requested review from Mab879 Mab879 will be requested when the pull request is marked ready for review Mab879 is a code owner

@vojtapolasek vojtapolasek Awaiting requested review from vojtapolasek vojtapolasek will be requested when the pull request is marked ready for review vojtapolasek is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

CIS CIS Benchmark related. do-not-merge/work-in-progress Used by openshift-ci bot. New Rule Issues or pull requests related to new Rules. RHEL8 Red Hat Enterprise Linux 8 product related. RHEL9 Red Hat Enterprise Linux 9 product related. RHEL10 Red Hat Enterprise Linux 10 product related.

Projects

None yet

Milestone

0.1.80

Development

Successfully merging this pull request may close these issues.

1 participant

@jan-cerny