RHEL9-CIS/tasks/section_5/cis_5.7.yml

---

- name: "5.7 | L1 | PATCH | Ensure access to the su command is restricted"
  block:
      - name: "5.7 | L1 | PATCH | Ensure access to the su command is restricted | Setting pam_wheel to use_uid"
        lineinfile:
            state: present
            dest: /etc/pam.d/su
            regexp: '^(#)?auth\s+required\s+pam_wheel\.so'
            line: 'auth           required        pam_wheel.so use_uid {% if rhel9cis_sugroup is defined %}group={{ rhel9cis_sugroup }}{% endif %}'

      - name: "5.7 | L1 | PATCH | Ensure access to the su command is restricted | wheel group contains root"
        user:
            name: "{{ rhel9cis_sugroup_users }}"
            groups: "{{ rhel9cis_sugroup | default('wheel') }}"
  when:
      - rhel9cis_rule_5_7
  tags:
      - level1-server
      - level1-workstation
      - patch
      - rule_5.7
Initial Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-01-07 09:06:18 +00:00			`---`

			`- name: "5.7 \| L1 \| PATCH \| Ensure access to the su command is restricted"`
			`block:`
			`- name: "5.7 \| L1 \| PATCH \| Ensure access to the su command is restricted \| Setting pam_wheel to use_uid"`
			`lineinfile:`
			`state: present`
			`dest: /etc/pam.d/su`
			`regexp: '^(#)?auth\s+required\s+pam_wheel\.so'`
			`line: 'auth required pam_wheel.so use_uid {% if rhel9cis_sugroup is defined %}group={{ rhel9cis_sugroup }}{% endif %}'`

			`- name: "5.7 \| L1 \| PATCH \| Ensure access to the su command is restricted \| wheel group contains root"`
			`user:`
			`name: "{{ rhel9cis_sugroup_users }}"`
			`groups: "{{ rhel9cis_sugroup \| default('wheel') }}"`
			`when:`
			`- rhel9cis_rule_5_7`
			`tags:`
			`- level1-server`
			`- level1-workstation`
			`- patch`
			`- rule_5.7`