In the process of updating out hardening-automation to update configuration of
files to leverage
vice direct-editing of files and am running into issues.
Specifically, one of the security controls I need to implement states that the
Copied!
pam_lastlog.so
module
must be set as
(rather than the
that comes in the default
profile for
). Neither
Copied!
pam_lastlog.so
seems to have an
Copied!
/etc/security/*.config
file (like pam_faillock and pam_pwhistory do), nor does
seem to let me change the
to
.
I thought I'd try cloning the default
profile (and create an
Copied!
sssd-hardened
profile) and select that custom profile as my active profile. However, when I issue my
Copied!
realm join …
, it pretty much says, "screw that custom profile you're using, we're going to select the default
profile as the active profile" ...which (effectively) clobbers the
fixes that I'd enabled in my custom authselect profile and the changes that I'd used authselect to make prior the running of
. But, "nope".
Figured I'd ask if anyone's run into this scenario and found a path past it before trying to open up a Bugzilla about it.
Responses