hardening: reject authentication with empty passwd

SSH defaults to disallowing empty passwords but Dovecot has no similar safeguard (at least not one enabled by default). Remove "nullok" from /etc/pam.d/system-auth to implement the desired behavior system-wide.

roles/hardening/tasks/main.yml

+- name: Prevent users with empty passwords from authenticating
+  replace:
+    path: /etc/pam.d/system-auth
+    regexp: " nullok"
+    replace: ""
+
 - name: Set restricted access to kernel logs
   copy: src=50-dmesg-restrict.conf dest=/etc/sysctl.d/50-dmesg-restrict.conf owner=root group=root mode=0644
   notify: