A classic virtuous circle in information security: CIS benchmark alerts reported by Wazuh nagged me into implementing new dev-sec.io hardening flags which are now released as part of standard hardening playbooks. Oh, and don't forget ansible-lint :)
https://github.com/dev-sec/ansible-os-hardening/releases/tag/6.0.0