diff --git a/etc/pam.d/common-session-noninteractive.security-misc b/etc/pam.d/common-session-noninteractive.security-misc
deleted file mode 100644
index 253b033..0000000
--- a/etc/pam.d/common-session-noninteractive.security-misc
+++ /dev/null
@@ -1,28 +0,0 @@
-#
-# /etc/pam.d/common-session-noninteractive - session-related modules
-# common to all non-interactive services
-#
-# This file is included from other service-specific PAM config files,
-# and should contain a list of modules that define tasks to be performed
-# at the start and end of all non-interactive sessions.
-#
-# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
-# To take advantage of this, it is recommended that you configure any
-# local modules either before or after the default block, and use
-# pam-auth-update to manage selection of other modules.  See
-# pam-auth-update(8) for details.
-
-# here are the per-package modules (the "Primary" block)
-session	[default=1]			pam_permit.so
-# here's the fallback if no module succeeds
-session	requisite			pam_deny.so
-# prime the stack with a positive return value if there isn't one already;
-# this avoids us returning an error just because nothing sets a success code
-# since the modules above will each just jump around
-session	required			pam_permit.so
-# and here are more per-package modules (the "Additional" block)
-session	required	pam_unix.so 
-session	optional	pam_cgfs.so -c freezer,memory,name=systemd
-# end of pam-auth-update config
-session optional pam_umask.so usergroups
-
diff --git a/etc/pam.d/common-session.security-misc b/etc/pam.d/common-session.security-misc
deleted file mode 100644
index 371895a..0000000
--- a/etc/pam.d/common-session.security-misc
+++ /dev/null
@@ -1,29 +0,0 @@
-#
-# /etc/pam.d/common-session - session-related modules common to all services
-#
-# This file is included from other service-specific PAM config files,
-# and should contain a list of modules that define tasks to be performed
-# at the start and end of sessions of *any* kind (both interactive and
-# non-interactive).
-#
-# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
-# To take advantage of this, it is recommended that you configure any
-# local modules either before or after the default block, and use
-# pam-auth-update to manage selection of other modules.  See
-# pam-auth-update(8) for details.
-
-# here are the per-package modules (the "Primary" block)
-session	[default=1]			pam_permit.so
-# here's the fallback if no module succeeds
-session	requisite			pam_deny.so
-# prime the stack with a positive return value if there isn't one already;
-# this avoids us returning an error just because nothing sets a success code
-# since the modules above will each just jump around
-session	required			pam_permit.so
-# and here are more per-package modules (the "Additional" block)
-session	required	pam_unix.so 
-session	optional	pam_systemd.so 
-session	optional	pam_cgfs.so -c freezer,memory,name=systemd
-# end of pam-auth-update config
-session optional pam_umask.so usergroups
-
diff --git a/usr/share/pam-configs/usergroups b/usr/share/pam-configs/usergroups
new file mode 100644
index 0000000..0b022fd
--- /dev/null
+++ b/usr/share/pam-configs/usergroups
@@ -0,0 +1,6 @@
+Name: change default umask to 006 (by package security-misc)
+Default: yes
+Priority: 256
+Session-Type: Additional
+Session:
+	optional pam_umask.so usergroups