fix: EL10 PAM and crypto readiness via authselect profile and DEFAULT policy

2026-05-28 17:30:57 +02:00
parent 6fe843355e
commit 89e366d0f0
6 changed files with 84 additions and 42 deletions
--- a/roles/cis/tasks/security_lines.yml
+++ b/roles/cis/tasks/security_lines.yml
@@ -126,32 +126,45 @@
    regexp: '^\s*#?\s*auth\s+required\s+pam_wheel\.so'
    line: auth required pam_wheel.so

+# authselect wires the pam_faillock stack via the feature; deny/unlock_time live
+# in faillock.conf, the supported place (pam_faillock(8) deprecates module args).
+- name: Configure account lockout (authselect)
+  when:
+    - cis_effective_rules.faillock | default(false)
+    - is_authselect | bool
+  block:
+    - name: Enable the authselect faillock feature
+      ansible.builtin.command: "{{ chroot_command }} authselect enable-feature with-faillock"
+      register: cis_faillock_result
+      changed_when: cis_faillock_result.rc == 0
+
+    - name: Set faillock thresholds
+      ansible.builtin.lineinfile:
+        path: /mnt/etc/security/faillock.conf
+        regexp: "{{ item.regexp }}"
+        line: "{{ item.line }}"
+        create: true
+        mode: "0644"
+      loop:
+        - {regexp: '^\s*#?\s*deny\s*=', line: "deny = {{ cis_cfg.faillock_deny }}"}
+        - {regexp: '^\s*#?\s*unlock_time\s*=', line: "unlock_time = {{ cis_cfg.faillock_unlock_time }}"}
+      loop_control:
+        label: "{{ item.line }}"
+
 - name: Configure account lockout
-  when: cis_effective_rules.faillock | default(false)
+  when:
+    - cis_effective_rules.faillock | default(false)
+    - not is_authselect | bool
  ansible.builtin.lineinfile:
    path: "{{ item.path }}"
    regexp: "{{ item.regexp }}"
    line: "{{ item.line }}"
  loop:
-    - path: >-
-        /mnt/etc/{{
-          "pam.d/common-auth"
-          if is_debian | bool
-          else "authselect/system-auth"
-          if os == "fedora"
-          else "pam.d/system-auth"
-        }}
+    - path: '/mnt/etc/{{ "pam.d/common-auth" if is_debian | bool else "pam.d/system-auth" }}'
      regexp: '^\s*auth\s+required\s+pam_faillock\.so'
      line: >-
        auth required pam_faillock.so onerr=fail audit silent deny={{ cis_cfg.faillock_deny }} unlock_time={{ cis_cfg.faillock_unlock_time }}
-    - path: >-
-        /mnt/etc/{{
-          "pam.d/common-account"
-          if is_debian | bool
-          else "authselect/system-auth"
-          if os == "fedora"
-          else "pam.d/system-auth"
-        }}
+    - path: '/mnt/etc/{{ "pam.d/common-account" if is_debian | bool else "pam.d/system-auth" }}'
      regexp: '^\s*account\s+required\s+pam_faillock\.so'
      line: account required pam_faillock.so
  loop_control: