If I understand things correctly, then there is currently no way to disable the check for NOPASSWD in the target system's sudo configuration — other than running a playbook with "--skip-tags V-71947".
I think that's questionable if you're running ansible-hardening against a cloud guest instance. Consider an OpenStack guest VM where user accounts simply do not have passwords, and the default user (for example, "ubuntu" on Ubuntu guest systems) is configured with NOPASSWD by default, as per /etc/sudoers.d/90-cloud-init-users.
I guess it's open to debate what's the better option for security here. Sure you could argue that having passwords is better than having none, and you should enforce the "no NOPASSWD" rule by requiring people to set passwords for all those ubuntu users. But considering that cloud instances are usually deployed en masse, my guess is that enforcing sudo passwords would just lead to identical sudo passwords being deployed to a large number of machines. Specifically if those machines are managed with Ansible, where a single playbook run can only do one --ask-become-pass prompt.
Would you accept a patch introducing a security_sudoers_nopasswd_check_enable variable (defaulting to yes, preserving the prior behavior) with an additional condition on that variable applying to the V-71947 tagged tasks?
Nice catch, Florian. Your idea for a patch sounds fine! Thanks for digging into that.