fix: EL10 PAM and crypto readiness via authselect profile and DEFAULT policy

roles/cis/tasks/auth.yml

@@ -27,7 +27,9 @@
 
 # Non-RHEL/non-Debian distros: loop evaluates to [] (intentional skip)
 - name: Prevent Login to Accounts With Empty Password
-  when: cis_effective_rules.empty_password_login | default(false)
+  when:
+    - cis_effective_rules.empty_password_login | default(false)
+    - not is_authselect | bool
   ansible.builtin.replace:
     dest: "{{ item }}"
     regexp: "\\s*nullok"

roles/cis/tasks/crypto.yml

@@ -1,11 +1,15 @@
 ---
 # Fedora ships its own crypto-policies preset and update-crypto-policies
 # behaves differently; applying DEFAULT:NO-SHA1 can break package signing.
+# EL10 dropped the NO-SHA1 subpolicy module (DEFAULT already disables SHA-1
+# signatures), so the modifier is set only on EL9 and below.
 - name: Configure System Cryptography Policy
+  vars:
+    _cis_crypto_policy: "{{ 'DEFAULT' if (os_version_major | int >= 10) else 'DEFAULT:NO-SHA1' }}"
   when:
     - cis_effective_rules.crypto_policy | default(false)
     - os in (os_family_rhel | difference(['fedora']))
-  ansible.builtin.command: "{{ chroot_command }} /usr/bin/update-crypto-policies --set DEFAULT:NO-SHA1"
+  ansible.builtin.command: "{{ chroot_command }} /usr/bin/update-crypto-policies --set {{ _cis_crypto_policy }}"
   register: cis_crypto_policy_result
   changed_when: "'Setting system-wide crypto-policies to' in cis_crypto_policy_result.stdout"
 

roles/cis/tasks/security_lines.yml

@@ -126,32 +126,45 @@
     regexp: '^\s*#?\s*auth\s+required\s+pam_wheel\.so'
     line: auth required pam_wheel.so
 
+# authselect wires the pam_faillock stack via the feature; deny/unlock_time live
+# in faillock.conf, the supported place (pam_faillock(8) deprecates module args).
+- name: Configure account lockout (authselect)
+  when:
+    - cis_effective_rules.faillock | default(false)
+    - is_authselect | bool
+  block:
+    - name: Enable the authselect faillock feature
+      ansible.builtin.command: "{{ chroot_command }} authselect enable-feature with-faillock"
+      register: cis_faillock_result
+      changed_when: cis_faillock_result.rc == 0
+
+    - name: Set faillock thresholds
+      ansible.builtin.lineinfile:
+        path: /mnt/etc/security/faillock.conf
+        regexp: "{{ item.regexp }}"
+        line: "{{ item.line }}"
+        create: true
+        mode: "0644"
+      loop:
+        - {regexp: '^\s*#?\s*deny\s*=', line: "deny = {{ cis_cfg.faillock_deny }}"}
+        - {regexp: '^\s*#?\s*unlock_time\s*=', line: "unlock_time = {{ cis_cfg.faillock_unlock_time }}"}
+      loop_control:
+        label: "{{ item.line }}"
+
 - name: Configure account lockout
-  when: cis_effective_rules.faillock | default(false)
+  when:
+    - cis_effective_rules.faillock | default(false)
+    - not is_authselect | bool
   ansible.builtin.lineinfile:
     path: "{{ item.path }}"
     regexp: "{{ item.regexp }}"
     line: "{{ item.line }}"
   loop:
-    - path: >-
-        /mnt/etc/{{
-          "pam.d/common-auth"
-          if is_debian | bool
-          else "authselect/system-auth"
-          if os == "fedora"
-          else "pam.d/system-auth"
-        }}
+    - path: '/mnt/etc/{{ "pam.d/common-auth" if is_debian | bool else "pam.d/system-auth" }}'
       regexp: '^\s*auth\s+required\s+pam_faillock\.so'
       line: >-
         auth required pam_faillock.so onerr=fail audit silent deny={{ cis_cfg.faillock_deny }} unlock_time={{ cis_cfg.faillock_unlock_time }}
-    - path: >-
-        /mnt/etc/{{
-          "pam.d/common-account"
-          if is_debian | bool
-          else "authselect/system-auth"
-          if os == "fedora"
-          else "pam.d/system-auth"
-        }}
+    - path: '/mnt/etc/{{ "pam.d/common-account" if is_debian | bool else "pam.d/system-auth" }}'
       regexp: '^\s*account\s+required\s+pam_faillock\.so'
       line: account required pam_faillock.so
   loop_control: