infra-run/ansible/roles/cis-debian-ubuntu-hardening/tasks/packages.yml

---
- name: Remove legacy network packages
  ansible.builtin.apt:
    name: "{{ cis_legacy_packages }}"
    state: absent
    purge: false
  when: cis_remove_legacy_packages | bool

- name: Build enabled hardening package list
  ansible.builtin.set_fact:
    cis_enabled_hardening_packages: >-
      {{
        ['sudo']
        + (['chrony'] if cis_enable_chrony | bool else [])
        + (['rsyslog'] if cis_enable_rsyslog | bool else [])
      }}

- name: Install baseline hardening packages
  ansible.builtin.apt:
    name: "{{ cis_enabled_hardening_packages }}"
    state: present
    update_cache: true
    cache_valid_time: 3600

- name: Install auditd when enabled
  ansible.builtin.apt:
    name: auditd
    state: present
    update_cache: true
    cache_valid_time: 3600
  when: cis_install_auditd | bool

- name: Install audispd plugins when available
  ansible.builtin.apt:
    name: audispd-plugins
    state: present
    update_cache: true
    cache_valid_time: 3600
  register: cis_audispd_plugins_install
  failed_when: false
  when: cis_install_auditd | bool

- name: Report audispd plugins availability
  ansible.builtin.debug:
    msg: "WARNING: audispd-plugins was not installed; package may be unavailable for this release."
  when:
    - cis_install_auditd | bool
    - cis_audispd_plugins_install is failed
Add Debian 13 and Ubuntu 26.04 CIS-inspired hardening playbook 2026-05-06 08:56:45 +00:00			`---`
			`- name: Remove legacy network packages`
			`ansible.builtin.apt:`
			`name: "{{ cis_legacy_packages }}"`
			`state: absent`
			`purge: false`
			`when: cis_remove_legacy_packages \| bool`

			`- name: Build enabled hardening package list`
			`ansible.builtin.set_fact:`
			`cis_enabled_hardening_packages: >-`
			`{{`
			`['sudo']`
			`+ (['chrony'] if cis_enable_chrony \| bool else [])`
			`+ (['rsyslog'] if cis_enable_rsyslog \| bool else [])`
			`}}`

			`- name: Install baseline hardening packages`
			`ansible.builtin.apt:`
			`name: "{{ cis_enabled_hardening_packages }}"`
			`state: present`
			`update_cache: true`
			`cache_valid_time: 3600`

			`- name: Install auditd when enabled`
			`ansible.builtin.apt:`
			`name: auditd`
			`state: present`
			`update_cache: true`
			`cache_valid_time: 3600`
			`when: cis_install_auditd \| bool`

			`- name: Install audispd plugins when available`
			`ansible.builtin.apt:`
			`name: audispd-plugins`
			`state: present`
			`update_cache: true`
			`cache_valid_time: 3600`
			`register: cis_audispd_plugins_install`
			`failed_when: false`
			`when: cis_install_auditd \| bool`

			`- name: Report audispd plugins availability`
			`ansible.builtin.debug:`
			`msg: "WARNING: audispd-plugins was not installed; package may be unavailable for this release."`
			`when:`
			`- cis_install_auditd \| bool`
			`- cis_audispd_plugins_install is failed`