From 010cfb6f753c0130f86ecd582a9f705833feae67 Mon Sep 17 00:00:00 2001
From: Mark Bolwell <mark.bollyuk@gmail.com>
Date: Fri, 17 May 2024 10:58:59 +0100
Subject: [PATCH] updated typos

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
---
 tasks/prelim.yml                          |  2 +-
 tasks/section_4/cis_4.3.x.yml             | 12 ++----------
 templates/etc/systemd/system/tmp.mount.j2 |  2 +-
 3 files changed, 4 insertions(+), 12 deletions(-)

diff --git a/tasks/prelim.yml b/tasks/prelim.yml
index 1eade936..4976158a 100644
--- a/tasks/prelim.yml
+++ b/tasks/prelim.yml
@@ -180,7 +180,7 @@
   changed_when: false
   failed_when: false
   check_mode: false
-  register: discovered_sudoers_filess
+  register: discovered_sudoers_files
 
 - name: "PRELIM | AUDIT | Check authselect package versions"
   tags:
diff --git a/tasks/section_4/cis_4.3.x.yml b/tasks/section_4/cis_4.3.x.yml
index cfc15781..e8d980a2 100644
--- a/tasks/section_4/cis_4.3.x.yml
+++ b/tasks/section_4/cis_4.3.x.yml
@@ -64,7 +64,7 @@
       regexp: '^([^#|{% if system_is_ec2 %}ec2-user{% endif %}].*)NOPASSWD(.*)'
       replace: '\1PASSWD\2'
       validate: '/usr/sbin/visudo -cf %s'
-  loop: "{{ discovered_sudoers_filess.stdout_lines }}"
+  loop: "{{ discovered_sudoers_files.stdout_lines }}"
 
 - name: "4.3.5 | PATCH | Ensure re-authentication for privilege escalation is not disabled globally"
   when:
@@ -135,17 +135,9 @@
         ansible.builtin.group:
             name: "{{ rhel8cis_sugroup }}"
             state: present
-        register: discovered_sugroup
-
-      - name: "4.3.7 | PATCH | Ensure access to the su command is restricted | remove users from group"
-        ansible.builtin.lineinfile:
-            path: /etc/group
-            regexp: '^{{ discovered_sugroup }}(:.:.*:).*$'
-            line: '{{ discovered_sugroup }}\g<1>'
-            backrefs: true
 
       - name: "4.3.7 | PATCH | Ensure access to the su command is restricted | Setting pam_wheel to use_uid"
         ansible.builtin.lineinfile:
             path: /etc/pam.d/su
             regexp: '^(#)?auth\s+required\s+pam_wheel\.so'
-            line: 'auth           required        pam_wheel.so use_uid group={{ discovered_sugroup }}'
+            line: 'auth           required        pam_wheel.so use_uid group={{ rhel8cis_sugroup }}'
diff --git a/templates/etc/systemd/system/tmp.mount.j2 b/templates/etc/systemd/system/tmp.mount.j2
index 2e3a1896..3cf0bf8b 100644
--- a/templates/etc/systemd/system/tmp.mount.j2
+++ b/templates/etc/systemd/system/tmp.mount.j2
@@ -23,7 +23,7 @@ After=swap.target
 What=tmpfs
 Where=/tmp
 Type=tmpfs
-Options=mode=1777,strictatime,{% if rhel8cis_rule_1_1_2_2 %}nodev,{% endif %}{% if rhel8cis_rule_1_1_2_4 %}nosuid,{% endif %}{% if rhel8cis_rule_1_1_2_3 %}noexec{% endif %}
+Options=mode=1777,strictatime,{% if rhel8cis_rule_1_1_2_1_2 %}nodev,{% endif %}{% if rhel8cis_rule_1_1_2_1_3 %}nosuid,{% endif %}{% if rhel8cis_rule_1_1_2_1_4 %}noexec{% endif %}
 
 # Make 'systemctl enable tmp.mount' work:
 [Install]