From d874e80256134d77832110faf4dddfa93c42f2c3 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Tue, 7 Feb 2023 13:24:53 +0100 Subject: [PATCH] Update warning about pwhistory feature in authselect It was noticed a possible scenario where the feature is introduced in a system with a custom profile based in older authselect versions. In these cases, the remediation can't be safely ensured and the custom profile should be updated by the administrator. Included this information in the rule warning. --- .../rule.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml index c549de2e9694..82299d520fff 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml @@ -129,3 +129,7 @@ warnings: Newer versions of authselect contain an authselect feature to easily and properly enable pam_pwhistory.so module. If this feature is not yet available in your system, an authselect custom profile must be used to avoid integrity issues in PAM files. + If a custom profile was created and used in the system before this authselect feature be + available, the new feature can't be used with the outdated custom profile and the + remediation will fail. In this case, the custom profile should be recreated or manually + updated.