updated typos

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
ansible-lockdown · May 17, 2024 · 010cfb6 · 010cfb6
1 parent 1b79bd2
commit 010cfb6
Show file tree

Hide file tree

Showing 3 changed files with 4 additions and 12 deletions.
diff --git a/tasks/prelim.yml b/tasks/prelim.yml
@@ -180,7 +180,7 @@
   changed_when: false
   failed_when: false
   check_mode: false
-  register: discovered_sudoers_filess
+  register: discovered_sudoers_files
 
 - name: "PRELIM | AUDIT | Check authselect package versions"
   tags:

diff --git a/tasks/section_4/cis_4.3.x.yml b/tasks/section_4/cis_4.3.x.yml
@@ -64,7 +64,7 @@
       regexp: '^([^#|{% if system_is_ec2 %}ec2-user{% endif %}].*)NOPASSWD(.*)'
       replace: '\1PASSWD\2'
       validate: '/usr/sbin/visudo -cf %s'
-  loop: "{{ discovered_sudoers_filess.stdout_lines }}"
+  loop: "{{ discovered_sudoers_files.stdout_lines }}"
 
 - name: "4.3.5 | PATCH | Ensure re-authentication for privilege escalation is not disabled globally"
   when:
@@ -135,17 +135,9 @@
         ansible.builtin.group:
             name: "{{ rhel8cis_sugroup }}"
             state: present
-        register: discovered_sugroup
-
-      - name: "4.3.7 | PATCH | Ensure access to the su command is restricted | remove users from group"
-        ansible.builtin.lineinfile:
-            path: /etc/group
-            regexp: '^{{ discovered_sugroup }}(:.:.*:).*$'
-            line: '{{ discovered_sugroup }}\g<1>'
-            backrefs: true
 
       - name: "4.3.7 | PATCH | Ensure access to the su command is restricted | Setting pam_wheel to use_uid"
         ansible.builtin.lineinfile:
             path: /etc/pam.d/su
             regexp: '^(#)?auth\s+required\s+pam_wheel\.so'
-            line: 'auth           required        pam_wheel.so use_uid group={{ discovered_sugroup }}'
+            line: 'auth           required        pam_wheel.so use_uid group={{ rhel8cis_sugroup }}'
diff --git a/templates/etc/systemd/system/tmp.mount.j2 b/templates/etc/systemd/system/tmp.mount.j2
@@ -23,7 +23,7 @@ After=swap.target
 What=tmpfs
 Where=/tmp
 Type=tmpfs
-Options=mode=1777,strictatime,{% if rhel8cis_rule_1_1_2_2 %}nodev,{% endif %}{% if rhel8cis_rule_1_1_2_4 %}nosuid,{% endif %}{% if rhel8cis_rule_1_1_2_3 %}noexec{% endif %}
+Options=mode=1777,strictatime,{% if rhel8cis_rule_1_1_2_1_2 %}nodev,{% endif %}{% if rhel8cis_rule_1_1_2_1_3 %}nosuid,{% endif %}{% if rhel8cis_rule_1_1_2_1_4 %}noexec{% endif %}
 
 # Make 'systemctl enable tmp.mount' work:
 [Install]