Add Debian 13 and Ubuntu 26.04 CIS-inspired hardening playbook

infra-run/ansible/roles/cis-debian-ubuntu-hardening/tasks/sudo.yml

@@ -0,0 +1,23 @@
+---
+- name: Build sudo hardening directives
+  ansible.builtin.set_fact:
+    cis_sudo_directives: >-
+      {{
+        ([{'regexp': '^Defaults\s+use_pty', 'line': 'Defaults use_pty'}]
+         if cis_sudo_use_pty | bool else [])
+        + [{'regexp': '^Defaults\s+logfile=', 'line': 'Defaults logfile="' ~ cis_sudo_logfile ~ '"'}]
+      }}
+
+- name: Configure sudo hardening drop-in
+  ansible.builtin.lineinfile:
+    path: "{{ cis_sudoers_dropin_path }}"
+    regexp: "{{ item.regexp }}"
+    line: "{{ item.line }}"
+    create: true
+    owner: root
+    group: root
+    mode: "0440"
+    validate: /usr/sbin/visudo -cf %s
+  loop: "{{ cis_sudo_directives }}"
+  loop_control:
+    label: "{{ item.line }}"