feat(cis): add selectable profile and per-rule hardening toggles

roles/cis/tasks/auth.yml

@@ -1,12 +1,33 @@
 ---
 - name: Ensure the Default UMASK is Set Correctly
+  when: cis_effective_rules.umask_default | default(false)
   ansible.builtin.lineinfile:
     path: "/mnt/etc/profile"
     regexp: "^(\\s*)umask\\s+\\d+"
     line: "umask {{ cis_cfg.umask_profile }}"
 
+- name: Set the login.defs UMASK (CIS L1+)
+  when:
+    - cis_effective_rules.umask_default | default(false)
+    - cis_strict | default(false)
+  ansible.builtin.lineinfile:
+    path: /mnt/etc/login.defs
+    regexp: '^\s*#?\s*UMASK\b'
+    line: "UMASK\t\t{{ cis_cfg.umask_profile }}"
+
+# authselect regenerates system-auth from the profile, so a direct edit is lost
+# on the next apply; without-nullok is the supported way to drop nullok there.
+- name: Prevent Login to Accounts With Empty Password (authselect)
+  when:
+    - cis_effective_rules.empty_password_login | default(false)
+    - is_authselect | bool
+  ansible.builtin.command: "{{ chroot_command }} authselect enable-feature without-nullok"
+  register: cis_nullok_result
+  changed_when: cis_nullok_result.rc == 0
+
 # Non-RHEL/non-Debian distros: loop evaluates to [] (intentional skip)
 - name: Prevent Login to Accounts With Empty Password
+  when: cis_effective_rules.empty_password_login | default(false)
   ansible.builtin.replace:
     dest: "{{ item }}"
     regexp: "\\s*nullok"