ansible-lockdown · tmeckel · Feb 11, 2026 · Feb 12, 2026 · Feb 12, 2026 · Feb 13, 2026
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -631,6 +631,10 @@ ubtu22cis_desktop_required: false
 # This will also purge any packages not removed via this playbook
 ubtu22cis_purge_apt: false
 
+## Apt/dpkg lock timeout (seconds)
+# Wait time for apt/dpkg frontend lock to clear before failing package tasks.
+ubtu22cis_apt_lock_timeout: 180
+
 ## Ignore change_when for apt update task
 # Modifies behavior of 'changed_when' for 'apt update' task  in prelim that always changes
 ubtu22cis_ignore_apt_update_changed_when: false

diff --git a/tasks/section_4/cis_4.1.x.yml b/tasks/section_4/cis_4.1.x.yml
@@ -112,7 +112,7 @@
         direction: out
         proto: "{{ item.proto }}"
         to_port: '{{ item.port }}'
-      loop: "{{ ubtu22cis_ufw_allow_out_ports }}"
+      loop: "{{ ubtu22cis_ufw_allow_out_ports if ubtu22cis_ufw_allow_out_ports != 'all' else [] }}"
       loop_control:
         label: "{{ item.port }}"
       notify: Reload ufw

diff --git a/tasks/section_5/cis_5.3.1.x.yml b/tasks/section_5/cis_5.3.1.x.yml
@@ -12,9 +12,10 @@
     - pam
     - rule_5.3.1.1
     - NIST800-53R5_NA
-  ansible.builtin.package:
+  ansible.builtin.apt:
     name: libpam-runtime
     state: latest
+    lock_timeout: "{{ ubtu22cis_apt_lock_timeout }}"
 
 - name: "5.3.1.2 | PATCH | Ensure libpam-modules is installed"
   when:
@@ -28,9 +29,10 @@
     - pam
     - rule_5.3.1.2
     - NIST800-53R5_NA
-  ansible.builtin.package:
+  ansible.builtin.apt:
     name: libpam-modules
     state: latest
+    lock_timeout: "{{ ubtu22cis_apt_lock_timeout }}"
 
 - name: "5.3.1.3 | PATCH | Ensure libpam-pwquality is installed"
   when:
@@ -43,6 +45,7 @@
     - pam
     - rule_5.3.1.3
     - NIST800-53R5_NA
-  ansible.builtin.package:
+  ansible.builtin.apt:
     name: libpam-pwquality
     state: latest
+    lock_timeout: "{{ ubtu22cis_apt_lock_timeout }}"