portfolio/infra-run/ansible/roles/cis-debian-ubuntu-hardening/tasks/sudo.yml

---
- name: Build sudo hardening directives
  ansible.builtin.set_fact:
    cis_sudo_directives: >-
      {{
        ([{'regexp': '^Defaults\s+use_pty', 'line': 'Defaults use_pty'}]
         if cis_sudo_use_pty | bool else [])
        + [{'regexp': '^Defaults\s+logfile=', 'line': 'Defaults logfile="' ~ cis_sudo_logfile ~ '"'}]
      }}

- name: Configure sudo hardening drop-in
  ansible.builtin.lineinfile:
    path: "{{ cis_sudoers_dropin_path }}"
    regexp: "{{ item.regexp }}"
    line: "{{ item.line }}"
    create: true
    owner: root
    group: root
    mode: "0440"
    validate: /usr/sbin/visudo -cf %s
  loop: "{{ cis_sudo_directives }}"
  loop_control:
    label: "{{ item.line }}"