infra-run/ansible/roles/cis-rhel9-hardening/tasks/sudo.yml

---
- name: Configure sudo hardening drop-in
  ansible.builtin.lineinfile:
    path: "{{ cis_sudoers_dropin_path }}"
    regexp: "{{ item.regexp }}"
    line: "{{ item.line }}"
    create: true
    owner: root
    group: root
    mode: "0440"
    validate: /usr/sbin/visudo -cf %s
  loop:
    - regexp: '^Defaults\s+use_pty'
      line: "Defaults use_pty"
    - regexp: '^Defaults\s+logfile='
      line: 'Defaults logfile="{{ cis_sudo_logfile }}"'
  loop_control:
    label: "{{ item.line }}"
Add RHEL 9 CIS-inspired hardening playbook 2026-05-06 08:45:33 +00:00			`---`
			`- name: Configure sudo hardening drop-in`
			`ansible.builtin.lineinfile:`
			`path: "{{ cis_sudoers_dropin_path }}"`
			`regexp: "{{ item.regexp }}"`
			`line: "{{ item.line }}"`
			`create: true`
			`owner: root`
			`group: root`
			`mode: "0440"`
			`validate: /usr/sbin/visudo -cf %s`
			`loop:`
			`- regexp: '^Defaults\s+use_pty'`
			`line: "Defaults use_pty"`
			`- regexp: '^Defaults\s+logfile='`
			`line: 'Defaults logfile="{{ cis_sudo_logfile }}"'`
			`loop_control:`
			`label: "{{ item.line }}"`