---

{{ if .Vars.ubtu24cis_level_1 }}
  {{ if .Vars.ubtu24cis_rule_5_2_7 }}
file:
  su_conf:
    title: 5.2.7 | Ensure access to the su command is restricted
    path: /etc/pam.d/su
    exists: true
    contents:
    - '/^auth\s+required\s+pam_wheel.so use_uid group={{ .Vars.ubtu24cis_sugroup }}/'
    meta:
      server: 1
      workstation: 1
      CIS_ID:
      - 5.2.7
      CISv8: 3.3
      CISv8_IG1: true
      CISv8_IG2: true
      CISv8_IG3: true
      NIST800-53R5:
      - AC-6
command:
  sugroup_etc_group:
    title: 5.2.7 | Ensure access to the su command is restricted
    exec: grep {{ .Vars.ubtu24cis_sugroup }} /etc/group  | awk -F':' '{print $NF}'
    exit-status: 0
    stdout:
    - '!/^[a-zA-Z]/'
    meta:
      server: 1
      workstation: 1
      CIS_ID:
      - 5.2.7
      CISv8: 3.3
      CISv8_IG1: true
      CISv8_IG2: true
      CISv8_IG3: true
      NIST800-53R5:
      - AC-6
  {{ end }}
{{ end }}