Add RHEL 9 CIS-inspired hardening playbook

infra-run/ansible/roles/cis-rhel9-hardening/tasks/sudo.yml

@@ -0,0 +1,18 @@
+---
+- name: Configure sudo hardening drop-in
+  ansible.builtin.lineinfile:
+    path: "{{ cis_sudoers_dropin_path }}"
+    regexp: "{{ item.regexp }}"
+    line: "{{ item.line }}"
+    create: true
+    owner: root
+    group: root
+    mode: "0440"
+    validate: /usr/sbin/visudo -cf %s
+  loop:
+    - regexp: '^Defaults\s+use_pty'
+      line: "Defaults use_pty"
+    - regexp: '^Defaults\s+logfile='
+      line: 'Defaults logfile="{{ cis_sudo_logfile }}"'
+  loop_control:
+    label: "{{ item.line }}"