fix: EL10 PAM and crypto readiness via authselect profile and DEFAULT policy

2026-05-28 17:30:57 +02:00
parent 6fe843355e
commit 89e366d0f0
6 changed files with 84 additions and 42 deletions
--- a/roles/cis/tasks/auth.yml
+++ b/roles/cis/tasks/auth.yml
@@ -27,7 +27,9 @@

 # Non-RHEL/non-Debian distros: loop evaluates to [] (intentional skip)
 - name: Prevent Login to Accounts With Empty Password
-  when: cis_effective_rules.empty_password_login | default(false)
+  when:
+    - cis_effective_rules.empty_password_login | default(false)
+    - not is_authselect | bool
  ansible.builtin.replace:
    dest: "{{ item }}"
    regexp: "\\s*nullok"