Skip to content

New rule accounts_password_pam_modules_in_authselect_profile#14279

Merged
Mab879 merged 7 commits intoComplianceAsCode:masterfrom
jan-cerny:authselect_template
Jan 23, 2026
Merged

New rule accounts_password_pam_modules_in_authselect_profile#14279
Mab879 merged 7 commits intoComplianceAsCode:masterfrom
jan-cerny:authselect_template

Conversation

@jan-cerny
Copy link
Collaborator

@jan-cerny jan-cerny commented Jan 7, 2026
edited
Loading

This PR adds new rule accounts_password_pam_modules_in_authselect_profile. This rule implements CIS requirement "Ensure active authselect profile includes pam modules". This requirement is a part of RHEL 8, 9 and 10 CIS. The rule is added to all profiles.

The rule doesn't check PAM configuration in /etc/pam.d/system-auth or password-auth. Instead, it checks the authselect template contents in /etc/authselect.

Resolves: https://issues.redhat.com/browse/OPENSCAP-6093

@jan-cerny jan-cerny added this to the 0.1.80 milestone Jan 7, 2026
@jan-cerny jan-cerny added New Rule Issues or pull requests related to new Rules. CIS CIS Benchmark related. RHEL10 Red Hat Enterprise Linux 10 product related. labels Jan 7, 2026
@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Used by openshift-ci bot. label Jan 7, 2026
@openshift-ci
Copy link

openshift-ci bot commented Jan 7, 2026

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@github-actions
Copy link

github-actions bot commented Jan 7, 2026
edited
Loading

ATEX Test Results

Test artifacts have been submitted to Testing Farm.

Results: View Test Results
Workflow Run: View Workflow Details

This comment was automatically generated by the ATEX workflow.

@jan-cerny jan-cerny force-pushed the authselect_template branch from 179fed3 to 5213a55 Compare January 9, 2026 08:51
@jan-cerny jan-cerny added RHEL8 Red Hat Enterprise Linux 8 product related. RHEL9 Red Hat Enterprise Linux 9 product related. labels Jan 9, 2026
@Arden97 Arden97 self-assigned this Jan 9, 2026
@jan-cerny
New rule accounts_password_pam_modules_in_authselect_profile
c05874b 
This rule implements CIS RHEL 10 Benchmark v1.0.1 requirement
5.3.2.1 - Ensure active authselect profile includes pam modules.

Resolves: https://issues.redhat.com/browse/OPENSCAP-6093
@jan-cerny jan-cerny force-pushed the authselect_template branch from ba8e48c to c05874b Compare January 16, 2026 09:06
@jan-cerny jan-cerny marked this pull request as ready for review January 16, 2026 09:06
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Used by openshift-ci bot. label Jan 16, 2026
Arden97
Arden97 requested changes Jan 16, 2026
View reviewed changes
Arden97
Arden97 approved these changes Jan 19, 2026
View reviewed changes
Copy link
Contributor

@Arden97 Arden97 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've verified that this PR passes all local automated tests on RHEL 8.10, RHEL 9.7, and RHEL 10.1. All meaningful requested changes in tests and remediations have been made

Mab879
Mab879 requested changes Jan 19, 2026
View reviewed changes
Copy link
Member

@Mab879 Mab879 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Platform should be Fedora as well for testing.

...tem/accounts/accounts-pam/accounts_password_pam_modules_in_authselect_profile/bash/shared.sh Outdated
@@ -0,0 +1,135 @@
# platform = multi_platform_rhel
Copy link
Member

@Mab879 Mab879 Jan 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should also include Fedora?

@jan-cerny
Copy link
Collaborator Author

jan-cerny commented Jan 20, 2026

I have removed empty lines and added Fedora to test scenarios.

@Mab879 Mab879 self-assigned this Jan 20, 2026
@jan-cerny
Copy link
Collaborator Author

jan-cerny commented Jan 23, 2026

I have changed platform to all platforms.

@Mab879 Mab879 merged commit 39e7b34 into ComplianceAsCode:master Jan 23, 2026
141 of 144 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Arden97 Arden97 Arden97 approved these changes

@Mab879 Mab879 Mab879 approved these changes

@matusmarhefka matusmarhefka Awaiting requested review from matusmarhefka matusmarhefka is a code owner

@vojtapolasek vojtapolasek Awaiting requested review from vojtapolasek vojtapolasek is a code owner

Assignees

@Mab879 Mab879

@Arden97 Arden97

Labels

CIS CIS Benchmark related. New Rule Issues or pull requests related to new Rules. RHEL8 Red Hat Enterprise Linux 8 product related. RHEL9 Red Hat Enterprise Linux 9 product related. RHEL10 Red Hat Enterprise Linux 10 product related.

Projects

None yet

Milestone

0.1.80

Development

Successfully merging this pull request may close these issues.

3 participants

@jan-cerny @Mab879 @Arden97