DLPX-86530 CIS: delphix user lockout after failed login attempts

files/common/usr/share/pam-configs/delphix-faillock-authcheck

@@ -0,0 +1,8 @@
+Name: Delphix faillock failure counter
+Default: yes
+Priority: 0
+Auth-Type: Primary
+Auth:
+        [default=die]   pam_faillock.so authfail audit deny=5 unlock_time=900 onerr=fail
+Auth-Initial:
+        [default=die]   pam_faillock.so authfail audit deny=5 unlock_time=900 onerr=fail

files/common/usr/share/pam-configs/delphix-faillock-preauth

@@ -0,0 +1,13 @@
+Name: Delphix faillock account lockout (preauth)
+Default: yes
+Priority: 1024
+Auth-Type: Primary
+Auth:
+        required        pam_faillock.so preauth silent audit deny=5 unlock_time=900 onerr=fail
+Auth-Initial:
+        required        pam_faillock.so preauth silent audit deny=5 unlock_time=900 onerr=fail
+Account-Type: Primary
+Account:
+        required        pam_faillock.so
+Account-Initial:
+        required        pam_faillock.so

files/common/usr/share/pam-configs/delphix-pwhistory

@@ -0,0 +1,8 @@
+Name: Delphix password history
+Default: yes
+Priority: 1024
+Password-Type: Primary
+Password:
+        requisite       pam_pwhistory.so remember=5 use_authtok
+Password-Initial:
+        requisite       pam_pwhistory.so remember=5 use_authtok

files/common/var/lib/delphix-platform/ansible/10-delphix-platform/roles/delphix-platform/tasks/main.yml

@@ -503,6 +503,15 @@
   when:
     - variant is regex("external-.*")
 
+#
+# CIS hardening (DLPX-86530): account lockout on failed logins via pam_faillock
+# and password-reuse history via pam_pwhistory. The profile files dropped under
+# /usr/share/pam-configs/ are auto-enabled (Default: yes); this call composes
+# them into /etc/pam.d/common-{auth,account,password}. Runs after the CRA
+# enable above so both stacks compose consistently.
+#
+- command: /usr/sbin/pam-auth-update --package
+
 #
 # Increase login timeout to give support more time to interact with CRA via the console.
 #