Authselect Configuration

Hi all,

I was recently in the situation of needing to configure password complexity rules for a RHEL 8 instance and ran up against authselect replacing authconfig. In the past, if I wanted to set password complexity requirements I could simply run:

authconfig --passminlen=16 --update

Not a problem to automate and chains nicely with lots of other complexity requirements like mandating a minimum number of upper, lower, digit and special characters. With RHEL 8/9 though I need to use authselect which is.... not so simple:

PROFILE="hardened"
authselect create-profile ${PROFILE} -b sssd
authselect select custom/${PROFILE}
sed -iE "s/pam_pwquality.so local_users_only$/& minlen=16/g" /etc/authselect/custom/${PROFILE}/password-auth /etc/authselect/custom/${PROFILE}/system-auth
authselect apply-changes

And of course that's just for the password length. If I want to set account locks after x number of failed passwords then I need another command for interacting with pam_tally2.so and another one for configuring password history settings with pam_pwhistory.so and of course everything needs to be duplicated in both system-auth and password-auth of whatever authselect profile you're using. Not to mention the whole thing is reliant on a sed command which will only work if the file hasn't been changed and any automation via Ansible will be further complicated because now I have to build in change logic to detect if the complexity reuirements already exist before attempting to add it...

My point is, is there a better way of doing this in RHEL 8/9? Authconfig was such a simple and elegant solution for configuring password requirements and authselect... isn't. Is there an alternative tool or best practice for setting password complexity requirements that doesn't rely on directly modifying pam files via sed in 8/9?