Description of problem:

Current hardening guidelines specify the presence of several PAM-related hardenings. Use of `realm join` to bind to an external, kerberized directory-service (in our case, Active Directory) requires the use of `authselect`. We're able to convert hardening guidance to using `authselect` within the default sssd profile except for the setting of the pam_lastlog.so's "session" definition with /etc/pam.d/postlogin to `required`. While we CAN configure the necessary change from `optional` to `required` by using a custom `authselect` profile, as soon as a `realm join` is performed, the custom-profile is de-selected in favor of the default `sssd` profile.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Spin up new system
2. Create a new authselect profile
3. Apply the custom authselect profile
4. Apply required hardenings to custom profile's files
5. Perform a `realm join`

Actual results:

Find that some hardenings – particularly the customized pam_lastlog.so's session entry in the postlogin file – have been reverted because the in-use authselect profile has been changed to the vendor-shipped `sssd` profile

Expected results:

All hardenings remain as specified and that custom `authselect` profile is still in use.

Additional info: