diff --git a/defaults/main.yml b/defaults/main.yml
index fb188b0..836f16f 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -645,11 +645,9 @@ rhel9cis_shell_session_timeout:
 # RHEL-09-5.4.1.5 Allow ansible to expire password for account with a last changed date in the future. False will just display users in violation, true will expire those users passwords
 rhel9cis_futurepwchgdate_autofix: true
 
-# 5.7
-# rhel9cis_sugroup: sugroup  # change accordingly wheel is default
+# 5.3.7
+rhel9cis_sugroup: nosugroup
 
-# wheel users list please supply comma seperated e.g. "vagrant,root"
-rhel9cis_sugroup_users: "root"
 
 ## Section6 vars
 
@@ -660,13 +658,10 @@ rhel9cis_rpm_audit_file: /var/tmp/rpm_file_check
 rhel9cis_no_world_write_adjust: true
 rhel9cis_passwd_label: "{{ (this_item | default(item)).id }}: {{ (this_item | default(item)).dir }}"
 
-
 # 6.2.16
 ## Dont follow symlinks for changes to user home directory thanks to @dulin-gnet and comminty for rhel8-cis reedbacj
 rhel_09_6_2_16_home_follow_symlinks: false
 
-
-
 #### Goss Configuration Settings ####
 # Set correct env for the run_audit.sh script from https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git"
 audit_run_script_environment:
diff --git a/tasks/section_5/cis_5.3.x.yml b/tasks/section_5/cis_5.3.x.yml
index 0443781..2f63b23 100644
--- a/tasks/section_5/cis_5.3.x.yml
+++ b/tasks/section_5/cis_5.3.x.yml
@@ -109,17 +109,25 @@
 
 - name: "5.3.7 | PATCH | Ensure access to the su command is restricted"
   block:
+
+      - name: "5.3.7 | PATCH | Ensure access to the su command is restricted | Ensure sugroup exists"
+        ansible.builtin.group:
+            name: "{{ rhel9cis_sugroup }}"
+            state: present
+        register: rhel9cis_5_3_7_sugroup
+
+      - name: "5.3.7 | PATCH | Ensure access to the su command is restricted | remove users from group"
+        ansible.builtin.lineinfile:
+            path: /etc/group
+            regexp: '^{{ rhel9cis_sugroup }}(:.:.*:).*$'
+            line: '{{ rhel9cis_sugroup }}\g<1>'
+            backrefs: true
+
       - name: "5.3.7 | PATCH | Ensure access to the su command is restricted | Setting pam_wheel to use_uid"
         ansible.builtin.lineinfile:
             path: /etc/pam.d/su
             regexp: '^(#)?auth\s+required\s+pam_wheel\.so'
-            line: 'auth           required        pam_wheel.so use_uid {% if rhel9cis_sugroup is defined %}group={{ rhel9cis_sugroup }}{% endif %}'
-
-      - name: "5.3.7 | PATCH | Ensure access to the su command is restricted | wheel group contains root"
-        ansible.builtin.user:
-            name: "{{ item }}"
-            groups: "{{ rhel9cis_sugroup | default('wheel') }}"
-        loop: "{{ rhel9cis_sugroup_users }}"
+            line: 'auth           required        pam_wheel.so use_uid group={{ rhel9cis_sugroup }}'
   when:
       - rhel9cis_rule_5_3_7
   tags: