RHEL 8 CIS: many pam related rules fail

[vojtapolasek]

Description of problem:

Following rules fail when the CIS profile is scanned and remediated with Openscap:

• account_password_pam_faillock_password_auth
• account_password_pam_faillock_system_auth
• accounts_password_pam_pwhistory_remember_password_auth
• accounts_password_pam_pwhistory_remember_system_auth
• accounts_password_pam_pwhistory_use_authtok
• accounts_passwords_pam_faillock_deny
• accounts_passwords_pam_faillock_deny_root
• accounts_passwords_pam_faillock_unlock_time_with_zero
• no_empty_passwords

SCAP Security Guide Version:

master 1e49e10

Operating System Version:

RHEL 8.10

Steps to Reproduce:

1. Run for example the test /hardening/host-os/oscap/cis from the contest repo

Actual Results:

Rules fail.

Expected Results:

Rules pass.

Additional Information/Debugging Steps:

I would expect that dropping of enable_authselect rule from the CIS control file could cause some of those problems. But I tried adding it back and it did not solve all problems.

[vojtapolasek]

Note that this happens also with image-builder and when installing the system with Anaconda.

[jan-cerny]

This has been fixed by #14295

Today, in the daily productization run as of 2026-01-13 as of HEAD e3853e3 all these tests passed on RHEL-8.10.0-updates-20260111.0.