Add Debian 13 and Ubuntu 26.04 CIS-inspired hardening playbook

infra-run/ansible/roles/cis-debian-ubuntu-hardening/tasks/packages.yml

@@ -0,0 +1,48 @@
+---
+- name: Remove legacy network packages
+  ansible.builtin.apt:
+    name: "{{ cis_legacy_packages }}"
+    state: absent
+    purge: false
+  when: cis_remove_legacy_packages | bool
+
+- name: Build enabled hardening package list
+  ansible.builtin.set_fact:
+    cis_enabled_hardening_packages: >-
+      {{
+        ['sudo']
+        + (['chrony'] if cis_enable_chrony | bool else [])
+        + (['rsyslog'] if cis_enable_rsyslog | bool else [])
+      }}
+
+- name: Install baseline hardening packages
+  ansible.builtin.apt:
+    name: "{{ cis_enabled_hardening_packages }}"
+    state: present
+    update_cache: true
+    cache_valid_time: 3600
+
+- name: Install auditd when enabled
+  ansible.builtin.apt:
+    name: auditd
+    state: present
+    update_cache: true
+    cache_valid_time: 3600
+  when: cis_install_auditd | bool
+
+- name: Install audispd plugins when available
+  ansible.builtin.apt:
+    name: audispd-plugins
+    state: present
+    update_cache: true
+    cache_valid_time: 3600
+  register: cis_audispd_plugins_install
+  failed_when: false
+  when: cis_install_auditd | bool
+
+- name: Report audispd plugins availability
+  ansible.builtin.debug:
+    msg: "WARNING: audispd-plugins was not installed; package may be unavailable for this release."
+  when:
+    - cis_install_auditd | bool
+    - cis_audispd_plugins_install is failed