feat(cis): add selectable profile and per-rule hardening toggles

roles/cis/tasks/password_expiry.yml

@@ -0,0 +1,22 @@
+---
+# login.defs sets policy for future accounts; existing service accounts are intentionally not chage-aged.
+- name: Configure password aging defaults
+  when: cis_effective_rules.password_expiry | default(false)
+  ansible.builtin.lineinfile:
+    path: /mnt/etc/login.defs
+    regexp: '^#?\s*{{ item.key }}\b'
+    line: "{{ item.key }}\t{{ item.value }}"
+  loop:
+    - {key: PASS_MAX_DAYS, value: "{{ cis_cfg.pass_max_days }}"}
+    - {key: PASS_MIN_DAYS, value: "{{ cis_cfg.pass_min_days }}"}
+    - {key: PASS_WARN_AGE, value: "{{ cis_cfg.pass_warn_age }}"}
+  loop_control:
+    label: "{{ item.key }}"
+
+# account_disable_post_pw_expiration: lock accounts INACTIVE days after expiry.
+- name: Set the default account inactivity lock period
+  when: cis_effective_rules.password_expiry | default(false)
+  ansible.builtin.lineinfile:
+    path: /mnt/etc/default/useradd
+    regexp: '^\s*#?\s*INACTIVE\s*='
+    line: "INACTIVE={{ cis_cfg.pass_inactive }}"