[5.3.3.1.x] set permissions on /etc/security/faillock.conf

[bykvaadm]

although there is no clear statement for this file permissions in cis, but looking around tons of cis recommendations, why not to harden faillock.conf the same way as other pam files? root|root (default) and mode 600

[uk-bolly]

hi @bykvaadm

Thank you for this PR and spotting this issue. While i appreciate the anchor added to the tasks, it can lead to confusion for some users and concerns around differing versions when running with tags.
The base of the fix has been added to the new PR #154. What this has done however has given us another place we can look at driving more efficiencies. This would be part of a much bigger project over the 100+ repos we maintain.

I hope this make sense, credit has been given within the new PR.

Thank you once again

uk-bolly

[bykvaadm]

ok, got it, this can be closed.

the reason i do anchors is because we might have one source of truth. if we set permissions in three different tasks, someday it will result in different permissions in different tasks.