Merge pull request #14624 from teacup-on-rockingchair/sle16_use_etc_security_faillock

jan-cerny · web-flow · commit 633e4bdde0d7 · 2026-04-15T11:53:06.000+02:00
Sle16 use /etc/security/faillock.conf for pam faillock configuration
diff --git a/product_properties/10-pam-faillock-conf.yml b/product_properties/10-pam-faillock-conf.yml
@@ -1,7 +1,2 @@
 default:
   pam_faillock_conf_path: "/etc/security/faillock.conf"
-
-overrides:
-{{% if product == 'sle16' %}}
-  pam_faillock_conf_path: "/usr/etc/security/faillock.conf"
-{{% endif %}}
diff --git a/shared/macros/10-ansible.jinja b/shared/macros/10-ansible.jinja
@@ -1462,7 +1462,6 @@ The following macro remediates Audit syscall rule in :code:`/etc/audit/audit.rul
     {{{ ansible_remove_pam_module_option_configuration('/etc/pam.d/password-auth','auth','','pam_faillock.so',parameter, rule_title=rule_title) | indent(4) }}}
   when:
     - result_faillock_conf_check.stat.exists
-{{%- endif %}}
 
 - name: {{{ rule_title }}} - Ensure the pam_faillock.so {{{ parameter }}} parameter in PAM files
   block:
@@ -1542,6 +1541,7 @@ The following macro remediates Audit syscall rule in :code:`/etc/audit/audit.rul
     {{%- endif %}}
   when:
     - not result_faillock_conf_check.stat.exists
+{{%- endif %}}
 {{%- endmacro -%}}
 
 {{#
diff --git a/shared/templates/pam_account_password_faillock/ansible.template b/shared/templates/pam_account_password_faillock/ansible.template
@@ -3,5 +3,16 @@
 # strategy = restrict
 # complexity = low
 # disruption = low
+
+{{% if product == 'sle16' %}}
+- name: Copy faillock defaults /usr/etc/security/faillock.conf to {{{ pam_faillock_conf_path }}}
+  ansible.builtin.copy:
+    src: /usr/etc/security/faillock.conf
+    dest: {{{ pam_faillock_conf_path }}}
+    force: no
+    mode: '0644'
+    remote_src: yes
+{{% endif %}}
+
 {{{ ansible_pam_faillock_enable(rule_title=rule_title) }}}
 {{{ ansible_pam_faillock_parameter_value(PRM_NAME, EXT_VARIABLE, rule_title=rule_title) }}}
diff --git a/shared/templates/pam_account_password_faillock/bash.template b/shared/templates/pam_account_password_faillock/bash.template
@@ -1,5 +1,12 @@
 # platform = multi_platform_all
 
+{{% if product == 'sle16' %}}
+PAM_FAILLOCK_DEFAULTS_FILE_NAME="/usr/etc/security/faillock.conf"
+if ! [ -e "{{{ pam_faillock_conf_path }}}" ] ; then
+    cp "${PAM_FAILLOCK_DEFAULTS_FILE_NAME}" "{{{ pam_faillock_conf_path }}}"
+fi
+{{% endif %}}
+
 {{{ bash_instantiate_variables(EXT_VARIABLE) }}}
 
 {{{ bash_pam_faillock_enable() }}}
