add rhel faillock config

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

roles/os_hardening/tasks/pam.yml

@@ -111,7 +111,7 @@
     - ansible_facts.os_family == 'RedHat'
     - not os_auth_pam_passwdqc_enable
 
-- name: configure passwdqc and tally via central system-auth confic
+- name: configure passwdqc and faillock via central system-auth confic
   template:
     src: 'etc/pam.d/rhel_system_auth.j2'
     dest: '/etc/pam.d/system-auth-ac'

roles/os_hardening/templates/etc/pam.d/rhel_system_auth.j2

@@ -2,14 +2,19 @@
 # Generated by Ansible role {{ ansible_role_name }}
 
 #%PAM-1.0
-{% if os_auth_retries > 0 %}
-{% endif %}
 auth        required      pam_env.so
+{% if os_auth_retries > 0 %}
+auth        required      pam_faillock.so preauth silent audit even_deny_root deny={{ os_auth_retries }} unlock_time={{ os_auth_lockout_time }}
+{% endif %}
 auth        sufficient    pam_unix.so nullok try_first_pass
+{% if os_auth_retries > 0 %}
+auth        [default=die] pam_faillock.so authfail audit even_deny_root deny={{ os_auth_retries }} unlock_time={{ os_auth_lockout_time }}
+{% endif %}
 auth        requisite     pam_succeed_if.so uid >= 500 quiet
 auth        required      pam_deny.so
 
 {% if os_auth_retries > 0 %}
+account     required      pam_faillock.so
 {% endif %}
 account     required      pam_unix.so
 account     sufficient    pam_localuser.so