From c58c4eb4e8492643748257a30109834890f76f57 Mon Sep 17 00:00:00 2001
From: Mark Bolwell <mark.bollyuk@gmail.com>
Date: Thu, 5 Sep 2024 16:04:47 +0100
Subject: [PATCH] fixed 5.2.4

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
---
 tasks/section_5/cis_5.2.x.yml | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/tasks/section_5/cis_5.2.x.yml b/tasks/section_5/cis_5.2.x.yml
index 6bb0608..f129956 100644
--- a/tasks/section_5/cis_5.2.x.yml
+++ b/tasks/section_5/cis_5.2.x.yml
@@ -57,21 +57,21 @@
     - rule_5.2.4
     - NIST800-53R5_AC-6
   block:
-    - name: "5.2.4 | AUDIT | Ensure users must provide password for escalation | discover accts with NOPASSWD"
+    - name: "5.2.4 | AUDIT | Ensure users must provide password for escalation | Discover accts with NOPASSWD"
       ansible.builtin.shell: grep -Ei '(nopasswd)' /etc/sudoers /etc/sudoers.d/* | cut -d':' -f1
       become: true
       changed_when: false
       failed_when: false
-      register: rhel9cis_5_2_4_nopasswd
+      register: discovered_nopasswd_sudoers
 
-    - name: "5.2.4 | PATCH | Ensure users must provide password for escalation"
-      when: rhel9cis_5_2_4_nopasswd.std | length > 0
+    - name: "5.2.4 | PATCH | Ensure users must provide password for escalation | Remove nopasswd for accounts not excluded"
+      when: discovered_nopasswd_sudoers.stdout | length > 0
       ansible.builtin.replace:
         path: "{{ item }}"
         regexp: '^((?!#|{% for name in rhel9cis_sudoers_exclude_nopasswd_list %}{{ name }}{% if not loop.last -%}|{%- endif -%}{% endfor %}).*)NOPASSWD(.*)'
         replace: '\1PASSWD\2'
         validate: '/usr/sbin/visudo -cf %s'
-      loop: "{{ rhel9cis_5_2_4_nopasswd.stdout_lines }}"
+      loop: "{{ discovered_nopasswd_sudoers.stdout_lines }}"
 
 - name: "5.2.5 | PATCH | Ensure re-authentication for privilege escalation is not disabled globally"
   when: