CIS: implement controls so that "remember" is not used together with pam_unix

[vojtapolasek]

Description:

Extends the accounts_password_pam_unix_no_remember rule to support RHEL-based systems (RHEL 8, 9, 10, Fedora, Oracle Linux, AlmaLinux) in addition to the existing Ubuntu/Debian support. This also implements appropriate CIS control for RHEL 8, 9, and 10.

Key changes:

• Updated rule.yml with platform-specific descriptions, CCE identifiers, authselect warnings, and OCIL manual verification instructions
• Modified OVAL check to handle platform-specific PAM file paths (RHEL: /etc/pam.d/{system,password}-auth, Debian: /etc/pam.d/common-*)
• Enhanced Bash remediation with authselect-aware implementation for RHEL systems and fallback for legacy systems
• Created new Ansible remediation for multi-platform support
• Added 4 comprehensive test scenarios for RHEL systems covering both PAM files and edge cases
• Updated CIS control files for RHEL 8, 9, and 10 from "pending" to "automated" status

Rationale:

The remember option in pam_unix.so uses the deprecated MD5 password hashing algorithm, which is less secure than modern alternatives. The CIS Benchmark recommends removing this option and using the pam_pwhistory module instead, which supports stronger hashing algorithms like yescrypt or SHA512.

This rule was previously only implemented for Ubuntu/Debian systems.

Review Hints:

• build for rhel / nonrhel products and examine if JInja macros are applied correctly
• run Automatus tests

[openshift-ci]

@vojtapolasek: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-openshift-node-compliance	08c89dc	link	true	/test e2e-aws-openshift-node-compliance
ci/prow/e2e-aws-openshift-platform-compliance	08c89dc	link	true	/test e2e-aws-openshift-platform-compliance

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.