Issue with Task 4.3.7 Ensure access to the su command is restricted

[msachikanta]

Describe the Issue
Noticed the task 4.3.7 | PATCH | Ensure access to the su command is restricted | Setting pam_wheel to use_uid is updating the entire outout of discovered_sugroup dynamic value getting populated from task 4.3.7 | PATCH | Ensure access to the su command is restricted | Ensure sugroup exists as stated below:

- name: "4.3.7 | PATCH | Ensure access to the su command is restricted | Ensure sugroup exists"
  ansible.builtin.group:
      name: "{{ rhel8cis_sugroup }}"
      state: present
  register: discovered_sugroup

- name: "4.3.7 | PATCH | Ensure access to the su command is restricted | remove users from group"
  ansible.builtin.lineinfile:
      path: /etc/group
      regexp: '^{{ discovered_sugroup }}(:.:.*:).*$'
      line: '{{ discovered_sugroup }}\g<1>'
      backrefs: true

- name: "4.3.7 | PATCH | Ensure access to the su command is restricted | Setting pam_wheel to use_uid"
  ansible.builtin.lineinfile:
      path: /etc/pam.d/su
      regexp: '^(#)?auth\s+required\s+pam_wheel\.so'
      line: 'auth           required        pam_wheel.so use_uid group={{ discovered_sugroup }}'

Expected Behavior
Task 4.3.7 | PATCH | Ensure access to the su command is restricted | Setting pam_wheel to use_uid suppose to update only the value of rhel8cis_sugroup varibale which should be sugroup as stated below:

auth           required        pam_wheel.so use_uid group=sugroup

however it is updating the entire output of discovered_sugroup as stated below:

Actual Behavior
The task 4.3.7 | PATCH | Ensure access to the su command is restricted | Setting pam_wheel to use_uid is updating the entire output of discovered_sugroup as stated below:

auth           required        pam_wheel.so use_uid group={'name': 'sugroup', 'state': 'present', 'changed': True, 'system': False, 'gid': 1001, 'failed': False}

Control(s) Affected
Nothing

Environment (please complete the following information):

• branch being used: [e.g. devel]

Additional Notes

Possible Solution
The below lines

line: 'auth           required        pam_wheel.so use_uid group={{ discovered_sugroup }}'

regexp: '^{{ discovered_sugroup }}(:.:.*:).*$'
line: '{{ discovered_sugroup }}\g<1>'

can be replaced with

line: 'auth           required        pam_wheel.so use_uid group={{ rhel8cis_sugroup }}'

regexp: '^{{ rhel8cis_sugroup }}(:.:.*:).*$'
line: '{{ rhel8cis_sugroup }}\g<1>'

or

line: 'auth           required        pam_wheel.so use_uid group={{ discovered_sugroup['name'] }}'

regexp: '^{{ discovered_sugroup['name'] }}(:.:.*:).*$'
line: '{{ discovered_sugroup['name'] }}\g<1>'

to fix the issue.

[uk-bolly]

hi @msachikanta

Thank you for raising this issue, i'm looking and putting a few fixes together and submitting the PR shortly.

Many thanks

uk-bolly