Update sudo logging configuration in Ansible tasks

deploy/ansible/roles-os/1.0-sudoers/tasks/main.yaml

@@ -7,19 +7,38 @@
 #
 # -----------------------------------------------------------------------------
 
-- name:                                1.0 - Enable logging for sudo operations
-  become:                              true
+- name: Check if /etc/sudoers.d exists for SLES 16
+  become: true
+  ansible.builtin.stat:
+    path: /etc/sudoers.d
+  register: sudoersd_dir
+
+- name: Pick existing sudoers config location
+  ansible.builtin.set_fact:
+    sudoers_logging_file: >-
+      {{
+        '/etc/sudoers' if sudoers_file.stat.exists else
+        ('/etc/sudoers.d/99-sudo-logging' if sudoersd_dir.stat.exists and sudoersd_dir.stat.isdir else
+         '/etc/sudoers')
+      }}
+
+- name: 1.0 - Enable logging for sudo operations
+  become: true
   ansible.builtin.blockinfile:
-    path:                              /etc/sudoers
-    state:                             present
-    insertafter:                       'EOF'
-    validate:                          visudo -cf %s
+    path: >-
+      {{ '/etc/sudoers.d/99-sudo-logging'
+         if sudoersd_dir.stat.exists and sudoersd_dir.stat.isdir
+         else '/etc/sudoers' }}
+    state: present
+    insertafter: EOF
+    create: true
+    mode: '0440'
+    validate: visudo -cf %s
     block: |
-                                       Defaults logfile="/var/log/sudo.log"
-                                       Defaults iolog_dir="/var/log/sudo/${user}"
-                                       Defaults log_input
-#      Additional option to also logo outputs instead of inputs only
-#      Defaults log_input, log_output
+      Defaults logfile="/var/log/sudo.log"
+      Defaults iolog_dir="/var/log/sudo/${user}"
+      Defaults log_input
+#     Defaults log_input, log_output
 
 # /*----------------------------------------------------------------------------8
 # |                                    END                                      |