---

- name: "5.7 | L1 | PATCH | Ensure access to the su command is restricted"
  block:
      - name: "5.7 | L1 | PATCH | Ensure access to the su command is restricted | Setting pam_wheel to use_uid"
        lineinfile:
            state: present
            dest: /etc/pam.d/su
            regexp: '^(#)?auth\s+required\s+pam_wheel\.so'
            line: 'auth           required        pam_wheel.so use_uid {% if rhel9cis_sugroup is defined %}group={{ rhel9cis_sugroup }}{% endif %}'

      - name: "5.7 | L1 | PATCH | Ensure access to the su command is restricted | wheel group contains root"
        user:
            name: "{{ rhel9cis_sugroup_users }}"
            groups: "{{ rhel9cis_sugroup | default('wheel') }}"
  when:
      - rhel9cis_rule_5_7
  tags:
      - level1-server
      - level1-workstation
      - patch
      - rule_5.7