Ansible playbook for RHEL 8 CIS fails

[vojtapolasek]

Description of problem:

After merging #14269 I think Ansible playbooks for RHEL 8 CIS started failing.

SCAP Security Guide Version:

master 1e49e10

Operating System Version:

RHEL 8.10

Steps to Reproduce:

1. Run Ansible playbook for CIS profile

Actual Results:

TASK [Configure the Use of the pam_faillock.so Module in the /etc/pam.d/password-auth File. - Informative message based on the authselect integrity check result] ***
fatal: [localhost]: FAILED! => {
    "assertion": "ansible_check_mode or result_authselect_check_cmd.rc == 0",
    "changed": false,
    "evaluated_to": false,
    "msg": [
        "authselect integrity check failed. Remediation aborted!",
        "This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact.",
        "It is not recommended to manually edit the PAM files when authselect tool is available.",
        "In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended."
    ]
}

Expected Results:

The playbook finishes.

Additional Information/Debugging Steps:

I noticed that the PR mentioned above removed the enable_authselect rule. But putting it back uncovered some different problem, so it is not the whole solution.

[vojtapolasek]

Note that it seems that this happens only for level 2 CIS.

[jan-cerny]

I think there must be a rule that modifies /etc/pam.d/ directly instead of using authselect and this "manual" modification causes this error when authselect is used in later rule.