fix debian faillock config

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

roles/os_hardening/tasks/pam_debian.yml

@@ -67,6 +67,13 @@
         path: '{{ tally2_path }}'
         state: 'absent'
 
+    - name:  create tally directory
+      file:
+        state: 'directory'
+        mode: '0755'
+        owner: 'root'
+        group: 'root'
+
     - name: configure faillock
       template:
         src: 'etc/security/faillock.conf.j2'
@@ -85,12 +92,29 @@
       when:
         - os_auth_retries > 0
 
+    - name: configure faillock pam authfail
+      template:
+        src: 'usr/share/pam-configs/pam_faillock_authfail.j2'
+        dest: '/usr/share/pam-configs/faillock_authfail'
+        mode: '0644'
+        owner: 'root'
+        group: 'root'
+      when:
+        - os_auth_retries > 0
+
     - name: delete faillock when retries is 0
       file:
         path: '/usr/share/pam-configs/faillock'
         state: 'absent'
       when:
         - os_auth_retries == 0
+
+    - name: delete faillock authfail when retries is 0
+      file:
+        path: '/usr/share/pam-configs/faillock_authfail'
+        state: 'absent'
+      when:
+        - os_auth_retries == 0
   when:
     - "'libpam-modules' in ansible_facts.packages"
     - "ansible_facts.packages['libpam-modules'][0].version is version('1.4.0', '>=')"

roles/os_hardening/templates/usr/share/pam-configs/pam_faillock.j2

@@ -1,10 +1,12 @@
 {{ ansible_managed | comment }}
 # Generated by Ansible role {{ ansible_role_name }}
 
-Name: faillock lockout after failed attempts enforcement
-Default: yes
+Name: faillock boilerplate
+Default: no
 Priority: 1024
-Auth-Type: Additional
+Auth-Type: Primary
 Auth:
-  [default=die]      pam_faillock.so authfail
-  required           pam_faillock.so authsucc
+  required           pam_faillock.so preauth
+Account-Type: Primary
+Account:
+  required           pam_faillock.so

roles/os_hardening/templates/usr/share/pam-configs/pam_faillock_authfail.j2

@@ -0,0 +1,10 @@
+{{ ansible_managed | comment }}
+# Generated by Ansible role {{ ansible_role_name }}
+
+Name: faillock lockout after failed attempts enforcement
+Default: no
+Priority: 0
+Auth-Type: Primary
+Auth:
+  required           pam_faillock.so authfail
+