issue 41 5.3.7 tasks

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
2025-12-24 14:23:05 +00:00 · 2023-03-13 09:44:51 +00:00 · 2023-03-13 09:44:51 +00:00 · 868e74bbf4
commit 868e74bbf4
parent 1a466b7eb7
2 changed files with 17 additions and 14 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -645,11 +645,9 @@ rhel9cis_shell_session_timeout:
 # RHEL-09-5.4.1.5 Allow ansible to expire password for account with a last changed date in the future. False will just display users in violation, true will expire those users passwords
 rhel9cis_futurepwchgdate_autofix: true

-# 5.7
-# rhel9cis_sugroup: sugroup  # change accordingly wheel is default
+# 5.3.7
+rhel9cis_sugroup: nosugroup

-# wheel users list please supply comma seperated e.g. "vagrant,root"
-rhel9cis_sugroup_users: "root"

 ## Section6 vars

@ -660,13 +658,10 @@ rhel9cis_rpm_audit_file: /var/tmp/rpm_file_check
 rhel9cis_no_world_write_adjust: true
 rhel9cis_passwd_label: "{{ (this_item | default(item)).id }}: {{ (this_item | default(item)).dir }}"

-
 # 6.2.16
 ## Dont follow symlinks for changes to user home directory thanks to @dulin-gnet and comminty for rhel8-cis reedbacj
 rhel_09_6_2_16_home_follow_symlinks: false

-
-
 #### Goss Configuration Settings ####
 # Set correct env for the run_audit.sh script from https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git"
 audit_run_script_environment:
--- a/tasks/section_5/cis_5.3.x.yml
+++ b/tasks/section_5/cis_5.3.x.yml
@ -109,17 +109,25 @@

 - name: "5.3.7 | PATCH | Ensure access to the su command is restricted"
  block:
+
+      - name: "5.3.7 | PATCH | Ensure access to the su command is restricted | Ensure sugroup exists"
+        ansible.builtin.group:
+            name: "{{ rhel9cis_sugroup }}"
+            state: present
+        register: rhel9cis_5_3_7_sugroup
+
+      - name: "5.3.7 | PATCH | Ensure access to the su command is restricted | remove users from group"
+        ansible.builtin.lineinfile:
+            path: /etc/group
+            regexp: '^{{ rhel9cis_sugroup }}(:.:.*:).*$'
+            line: '{{ rhel9cis_sugroup }}\g<1>'
+            backrefs: true
+
      - name: "5.3.7 | PATCH | Ensure access to the su command is restricted | Setting pam_wheel to use_uid"
        ansible.builtin.lineinfile:
            path: /etc/pam.d/su
            regexp: '^(#)?auth\s+required\s+pam_wheel\.so'
-            line: 'auth           required        pam_wheel.so use_uid {% if rhel9cis_sugroup is defined %}group={{ rhel9cis_sugroup }}{% endif %}'
-
-      - name: "5.3.7 | PATCH | Ensure access to the su command is restricted | wheel group contains root"
-        ansible.builtin.user:
-            name: "{{ item }}"
-            groups: "{{ rhel9cis_sugroup | default('wheel') }}"
-        loop: "{{ rhel9cis_sugroup_users }}"
+            line: 'auth           required        pam_wheel.so use_uid group={{ rhel9cis_sugroup }}'
  when:
      - rhel9cis_rule_5_3_7
  tags: