issue 41 5.3.7 tasks

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
2023-03-13 09:44:51 +00:00 · 2023-03-13 09:44:51 +00:00 · 868e74bbf4
commit 868e74bbf4
parent 1a466b7eb7
2 changed files with 17 additions and 14 deletions
--- a/tasks/section_5/cis_5.3.x.yml
+++ b/tasks/section_5/cis_5.3.x.yml
@ -109,17 +109,25 @@

 - name: "5.3.7 | PATCH | Ensure access to the su command is restricted"
  block:
+
+      - name: "5.3.7 | PATCH | Ensure access to the su command is restricted | Ensure sugroup exists"
+        ansible.builtin.group:
+            name: "{{ rhel9cis_sugroup }}"
+            state: present
+        register: rhel9cis_5_3_7_sugroup
+
+      - name: "5.3.7 | PATCH | Ensure access to the su command is restricted | remove users from group"
+        ansible.builtin.lineinfile:
+            path: /etc/group
+            regexp: '^{{ rhel9cis_sugroup }}(:.:.*:).*$'
+            line: '{{ rhel9cis_sugroup }}\g<1>'
+            backrefs: true
+
      - name: "5.3.7 | PATCH | Ensure access to the su command is restricted | Setting pam_wheel to use_uid"
        ansible.builtin.lineinfile:
            path: /etc/pam.d/su
            regexp: '^(#)?auth\s+required\s+pam_wheel\.so'
-            line: 'auth           required        pam_wheel.so use_uid {% if rhel9cis_sugroup is defined %}group={{ rhel9cis_sugroup }}{% endif %}'
-
-      - name: "5.3.7 | PATCH | Ensure access to the su command is restricted | wheel group contains root"
-        ansible.builtin.user:
-            name: "{{ item }}"
-            groups: "{{ rhel9cis_sugroup | default('wheel') }}"
-        loop: "{{ rhel9cis_sugroup_users }}"
+            line: 'auth           required        pam_wheel.so use_uid group={{ rhel9cis_sugroup }}'
  when:
      - rhel9cis_rule_5_3_7
  tags: