ComplianceAsCode · vojtapolasek · Dec 5, 2025 · Dec 5, 2025 · Dec 5, 2025 · Dec 12, 2025
diff --git a/...s-restrictions/password_storage/accounts_password_pam_unix_no_remember/ansible/shared.yml b/...s-restrictions/password_storage/accounts_password_pam_unix_no_remember/ansible/shared.yml
@@ -6,13 +6,15 @@
 
 {{% if 'ubuntu' in product or 'debian' in product %}}
 {{%- set pam_config_paths = "['/etc/pam.d/common-password', '/etc/pam.d/common-auth', '/etc/pam.d/common-account', '/etc/pam.d/common-session', '/etc/pam.d/common-session-noninteractive']" %}}
-{{% else %}}
-{{%- set pam_config_paths = "['/etc/pam.d/system-auth', '/etc/pam.d/password-auth']" -%}}
-{{% endif %}}
 
 - name: '{{{ rule_title }}} - Remove remember option from pam_unix.so'
   ansible.builtin.replace:
     dest: "{{ item }}"
     regexp: '(\s+pam_unix\.so.*)\s+remember=\d+\b(.*)'
     replace: '\1\2'
   loop: {{{ pam_config_paths }}}
+{{% else %}}
+{{{ ansible_remove_pam_module_option_configuration('/etc/pam.d/system-auth', 'password', '', 'pam_unix.so', 'remember', rule_title=rule_title) }}}
+
+{{{ ansible_remove_pam_module_option_configuration('/etc/pam.d/password-auth', 'password', '', 'pam_unix.so', 'remember', rule_title=rule_title) }}}
+{{% endif %}}
diff --git a/...ounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/bash/shared.sh b/...ounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/bash/shared.sh
@@ -18,10 +18,10 @@ DEBIAN_FRONTEND=noninteractive pam-auth-update
 {{% else %}}
 # RHEL-based systems: Use authselect-aware approach
 if [ -f /usr/bin/authselect ]; then
-    {{{ bash_remove_pam_module_option_configuration('/etc/pam.d/system-auth', 'password', '', 'pam_unix.so', 'remember') }}}
-    {{{ bash_remove_pam_module_option_configuration('/etc/pam.d/password-auth', 'password', '', 'pam_unix.so', 'remember') }}}
+    {{{ bash_remove_pam_module_option_configuration('/etc/pam.d/system-auth', 'password', '.*', 'pam_unix.so', 'remember') }}}
+    {{{ bash_remove_pam_module_option_configuration('/etc/pam.d/password-auth', 'password', '.*', 'pam_unix.so', 'remember') }}}
 else
-    {{{ bash_remove_pam_module_option('/etc/pam.d/system-auth', 'password', '', 'pam_unix.so', 'remember') }}}
-    {{{ bash_remove_pam_module_option('/etc/pam.d/password-auth', 'password', '', 'pam_unix.so', 'remember') }}}
+    {{{ bash_remove_pam_module_option('/etc/pam.d/system-auth', 'password', '.*', 'pam_unix.so', 'remember') }}}
+    {{{ bash_remove_pam_module_option('/etc/pam.d/password-auth', 'password', '.*', 'pam_unix.so', 'remember') }}}
 fi
 {{% endif %}}
@@ -0,0 +1,24 @@
+#!/bin/bash
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_almalinux
+# packages = pam
+
+authselect create-profile hardening -b sssd
+CUSTOM_PROFILE="custom/hardening"
+authselect select $CUSTOM_PROFILE --force
+CUSTOM_PASSWORD_AUTH="/etc/authselect/$CUSTOM_PROFILE/password-auth"
+CUSTOM_SYSTEM_AUTH="/etc/authselect/$CUSTOM_PROFILE/system-auth"
+
+# Ensure system-auth and password-auth don't have remember option
+sed -i --follow-symlinks '/pam_unix\.so.*remember=/d' $CUSTOM_SYSTEM_AUTH
+sed -i --follow-symlinks '/pam_unix\.so.*remember=/d' $CUSTOM_PASSWORD_AUTH
+
+# Add a clean pam_unix.so line without remember if it doesn't exist
+if ! grep -q "^password.*pam_unix\.so" $CUSTOM_SYSTEM_AUTH; then
+    echo "password    sufficient    pam_unix.so sha512 shadow try_first_pass use_authtok" >> $CUSTOM_SYSTEM_AUTH
+fi
+
+if ! grep -q "^password.*pam_unix\.so" $CUSTOM_PASSWORD_AUTH; then
+    echo "password    sufficient    pam_unix.so sha512 shadow try_first_pass use_authtok" >> $CUSTOM_PASSWORD_AUTH
+fi
+
+authselect apply-changes -b
@@ -0,0 +1,23 @@
+#!/bin/bash
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_almalinux
+# packages = pam
+
+authselect create-profile hardening -b sssd
+CUSTOM_PROFILE="custom/hardening"
+authselect select $CUSTOM_PROFILE --force
+CUSTOM_PASSWORD_AUTH="/etc/authselect/$CUSTOM_PROFILE/password-auth"
+CUSTOM_SYSTEM_AUTH="/etc/authselect/$CUSTOM_PROFILE/system-auth"
+
+# Commented lines should pass (comments are ignored)
+sed -i --follow-symlinks '/pam_unix\.so.*remember=/d' $CUSTOM_SYSTEM_AUTH
+sed -i --follow-symlinks '/pam_unix\.so.*remember=/d' $CUSTOM_PASSWORD_AUTH
+
+# Add commented line with remember (should be ignored)
+echo "# password    sufficient    pam_unix.so sha512 shadow remember=5" >> $CUSTOM_SYSTEM_AUTH
+echo "# password    sufficient    pam_unix.so sha512 shadow remember=5" >> $CUSTOM_PASSWORD_AUTH
+
+# Add clean active lines without remember
+echo "password    sufficient    pam_unix.so sha512 shadow" >> $CUSTOM_SYSTEM_AUTH
+echo "password    sufficient    pam_unix.so sha512 shadow" >> $CUSTOM_PASSWORD_AUTH
+
+authselect apply-changes -b
@@ -2,11 +2,18 @@
 # platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_almalinux
 # packages = pam
 
+authselect create-profile hardening -b sssd
+CUSTOM_PROFILE="custom/hardening"
+authselect select $CUSTOM_PROFILE --force
+CUSTOM_PASSWORD_AUTH="/etc/authselect/$CUSTOM_PROFILE/password-auth"
+
 # Add remember option to password-auth (should fail)
-if grep -q "^password.*pam_unix\.so" /etc/pam.d/password-auth; then
+if grep -q "^password.*pam_unix\.so" $CUSTOM_PASSWORD_AUTH; then
     # If pam_unix.so line exists, add remember option
-    sed -i --follow-symlinks 's/\(^password.*pam_unix\.so.*\)/\1 remember=5/' /etc/pam.d/password-auth
+    sed -i --follow-symlinks 's/\(^password.*pam_unix\.so.*\)/\1 remember=5/' $CUSTOM_PASSWORD_AUTH
 else
     # If no pam_unix.so line exists, add one with remember
-    echo "password    sufficient    pam_unix.so sha512 shadow remember=5" >> /etc/pam.d/password-auth
+    echo "password    sufficient    pam_unix.so sha512 shadow remember=5" >> $CUSTOM_PASSWORD_AUTH
 fi
+
+authselect apply-changes -b
@@ -2,11 +2,18 @@
 # platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_almalinux
 # packages = pam
 
+authselect create-profile hardening -b sssd
+CUSTOM_PROFILE="custom/hardening"
+authselect select $CUSTOM_PROFILE --force
+CUSTOM_SYSTEM_AUTH="/etc/authselect/$CUSTOM_PROFILE/system-auth"
+
 # Add remember option to system-auth (should fail)
-if grep -q "^password.*pam_unix\.so" /etc/pam.d/system-auth; then
+if grep -q "^password.*pam_unix\.so" $CUSTOM_SYSTEM_AUTH; then
     # If pam_unix.so line exists, add remember option
-    sed -i --follow-symlinks 's/\(^password.*pam_unix\.so.*\)/\1 remember=5/' /etc/pam.d/system-auth
+    sed -i --follow-symlinks 's/\(^password.*pam_unix\.so.*\)/\1 remember=5/' $CUSTOM_SYSTEM_AUTH
 else
     # If no pam_unix.so line exists, add one with remember
-    echo "password    sufficient    pam_unix.so sha512 shadow remember=5" >> /etc/pam.d/system-auth
+    echo "password    sufficient    pam_unix.so sha512 shadow remember=5" >> $CUSTOM_SYSTEM_AUTH
 fi
+
+authselect apply-changes -b