Describe the Issue
Noticed the task 4.3.7 | PATCH | Ensure access to the su command is restricted | Setting pam_wheel to use_uid is updating the entire outout of discovered_sugroup dynamic value getting populated from task 4.3.7 | PATCH | Ensure access to the su command is restricted | Ensure sugroup exists as stated below:
- name: "4.3.7 | PATCH | Ensure access to the su command is restricted | Ensure sugroup exists"
ansible.builtin.group:
name: "{{ rhel8cis_sugroup }}"
state: present
register: discovered_sugroup
- name: "4.3.7 | PATCH | Ensure access to the su command is restricted | remove users from group"
ansible.builtin.lineinfile:
path: /etc/group
regexp: '^{{ discovered_sugroup }}(:.:.*:).*$'
line: '{{ discovered_sugroup }}\g<1>'
backrefs: true
- name: "4.3.7 | PATCH | Ensure access to the su command is restricted | Setting pam_wheel to use_uid"
ansible.builtin.lineinfile:
path: /etc/pam.d/su
regexp: '^(#)?auth\s+required\s+pam_wheel\.so'
line: 'auth required pam_wheel.so use_uid group={{ discovered_sugroup }}'
Expected Behavior
Task 4.3.7 | PATCH | Ensure access to the su command is restricted | Setting pam_wheel to use_uid suppose to update only the value of rhel8cis_sugroup varibale which should be sugroup as stated below:
auth required pam_wheel.so use_uid group=sugroup
however it is updating the entire output of discovered_sugroup as stated below:
Actual Behavior
The task 4.3.7 | PATCH | Ensure access to the su command is restricted | Setting pam_wheel to use_uid is updating the entire output of discovered_sugroup as stated below:
Describe the Issue Noticed the task
4.3.7 | PATCH | Ensure access to the su command is restricted | Setting pam_wheel to use_uid
is updating the entire outout ofdiscovered_sugroup
dynamic value getting populated from task4.3.7 | PATCH | Ensure access to the su command is restricted | Ensure sugroup exists
as stated below:Expected Behavior Task
4.3.7 | PATCH | Ensure access to the su command is restricted | Setting pam_wheel to use_uid
suppose to update only the value ofrhel8cis_sugroup
varibale which should besugroup
as stated below:however it is updating the entire output of
discovered_sugroup
as stated below:Actual Behavior The task
4.3.7 | PATCH | Ensure access to the su command is restricted | Setting pam_wheel to use_uid
is updating the entire output ofdiscovered_sugroup
as stated below:Control(s) Affected Nothing
Environment (please complete the following information):
Additional Notes
Possible Solution The below lines
can be replaced with
or
to fix the issue.