use default /etc/security/faillock.conf for sle16.

teacup-on-rockingchair · teacup-on-rockingchair · commit 3a0fcff5fee1 · 2026-04-06T17:12:20.000+03:00
On 1st remediation this file is created via copying distro default from /usr/etc/security/faillock.conf
diff --git a/product_properties/10-pam-faillock-conf.yml b/product_properties/10-pam-faillock-conf.yml
@@ -1,7 +1,2 @@
 default:
   pam_faillock_conf_path: "/etc/security/faillock.conf"
-
-overrides:
-{{% if product == 'sle16' %}}
-  pam_faillock_conf_path: "/usr/etc/security/faillock.conf"
-{{% endif %}}
diff --git a/shared/templates/pam_account_password_faillock/ansible.template b/shared/templates/pam_account_password_faillock/ansible.template
@@ -3,5 +3,15 @@
 # strategy = restrict
 # complexity = low
 # disruption = low
+
+{{% if product == 'sle16' %}}
+- name: Copy faillock defaults /usr/etc/security/faillock.conf to {{{ pam_faillock_conf_path }}}
+  ansible.builtin.copy:
+    src: /usr/etc/security/faillock.conf
+    dest: {{{ pam_faillock_conf_path }}}
+    force: no
+    mode: '0644'
+{{% endif %}}
+
 {{{ ansible_pam_faillock_enable(rule_title=rule_title) }}}
 {{{ ansible_pam_faillock_parameter_value(PRM_NAME, EXT_VARIABLE, rule_title=rule_title) }}}
diff --git a/shared/templates/pam_account_password_faillock/bash.template b/shared/templates/pam_account_password_faillock/bash.template
@@ -1,5 +1,12 @@
 # platform = multi_platform_all
 
+{{% if product == 'sle16' %}}
+PAM_FAILLOCK_DEFAULTS_FILE_NAME="/usr/etc/security/faillock.conf"
+if ! [ -e "{{{ pam_faillock_conf_path }}}" ] ; then
+    cp "${PAM_FAILLOCK_DEFAULTS_FILE_NAME}" "{{{ pam_faillock_conf_path }}}"
+fi
+{{% endif %}}
+
 {{{ bash_instantiate_variables(EXT_VARIABLE) }}}
 
 {{{ bash_pam_faillock_enable() }}}
