Description of Problem

Compliance plays such as Configure the Use of the pam_faillock.so Module in the /etc/pam.d/password-auth File. (RHEL 9) always fail.

How reproducible

Always.

Steps to Reproduce

1. Provision a RHEL 8 or 9 VM, and fully update it.
2. Install packages for scanning and remediating hosts: openscap, openscap-scanner, scap-security-guide, rhc, rhc-worker-playbook
3. In Insights Compliance, within the "SCAP Policies" section of the UI, create a "CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Server" compliance policy for this host. Scan the host with insights-client --compliance.
4. In Insights Compliance, within the "Reports" section of the UI, create a remediation plan to fix this host.
5. Execute the remediation plan.

Actual Behavior

Remediation plan execution will fail when executing a play involving authselect with the following error message:

authselect integrity check failed. Remediation aborted! This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. It is not recommended to manually edit the PAM files when authselect tool is available. In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended.

More broadly, gven a vanilla RHEL 8 or 9 host that has been subscription-manager registered, updated, and rebooted, this command returns with exit code 2:

$ authselect check
System was not configured with authselect.

The most obvious and reliable way of making this remediation plan succeed is to dnf -y remove authselect.

Expected Behavior

Remediation plan execution succeeds.

Business Impact / Additional info

From a business perspective, the impact is that customers lose faith in our tools. If they can't do something obvious like "scan a host, select the recommended remediations, and apply them," then why would they trust us with something more involved and interesting?