Description of problem: Current hardening guidelines specify the presence of several PAM-related hardenings. Use of `realm join` to bind to an external, kerberized directory-service (in our case, Active Directory) requires the use of `authselect`. We're able to convert hardening guidance to using `authselect` within the default sssd profile except for the setting of the pam_lastlog.so's "session" definition with /etc/pam.d/postlogin to `required`. While we CAN configure the necessary change from `optional` to `required` by using a custom `authselect` profile, as soon as a `realm join` is performed, the custom-profile is de-selected in favor of the default `sssd` profile. Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. Spin up new system 2. Create a new authselect profile 3. Apply the custom authselect profile 4. Apply required hardenings to custom profile's files 5. Perform a `realm join` Actual results: Find that some hardenings – particularly the customized pam_lastlog.so's session entry in the postlogin file – have been reverted because the in-use authselect profile has been changed to the vendor-shipped `sssd` profile Expected results: All hardenings remain as specified and that custom `authselect` profile is still in use. Additional info:
Hi, I would like to support Thomas for this bug report. In the past, I experienced similar kind of issues. Regards, Dusan Baljevic | Solution Delivery Specialist, Banking Systems RESERVE BANK OF AUSTRALIA | 65 Martin Place, Sydney NSW 2000