These lines are supposed to make sure that the line "auth required pam_wheel.so use_uid" is present in the /etc/pam.d/su file, as recommended by section 5.5 of CIS for Amazon Linux.
Unfortunately, due to matching auth\s+, this stanza will replace the last one of any pre-existing lines starting with the word "auth". On my latest Amazon Linux there are three such lines:
auth sufficient pam_rootok.so
auth substack system-auth
auth include postlogin
Replacing the line auth include postlogin is certainly not intended by the applicable CIS 5.5. CIS 5.5 mandates that the required line should be the only one matching pam_wheel.so, not the only line matching ^auth\s.
https://github.com/anthcourtney/ansible-role-cis-amazon-linux/blob/25133c7de0d344cc8f2f0c91f69f979916dcc85f/tasks/level-1/5.5.yml#L7-L10
These lines are supposed to make sure that the line "auth required pam_wheel.so use_uid" is present in the /etc/pam.d/su file, as recommended by section 5.5 of CIS for Amazon Linux.
Unfortunately, due to matching
auth\s+, this stanza will replace the last one of any pre-existing lines starting with the word "auth". On my latest Amazon Linux there are three such lines:Replacing the line
auth include postloginis certainly not intended by the applicable CIS 5.5. CIS 5.5 mandates that the required line should be the only one matchingpam_wheel.so, not the only line matching^auth\s.PR is on its way.