From 7d7586d5fb18b1a0b94ee3e230bb8a1d67086143 Mon Sep 17 00:00:00 2001
From: Marcus Burghardt <maburgha@redhat.com>
Date: Wed, 18 Oct 2023 15:40:31 +0200
Subject: [PATCH 1/3] Remove groupmems from Bash remediation

It was noticed that groupmems command, which initially seemed like a
handy command, does not work on all distros or behaves differently
among distros. It is better to avoid it and use a more generic approach
that works for all distros.
---
 .../root_logins/ensure_pam_wheel_group_empty/bash/shared.sh     | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_pam_wheel_group_empty/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_pam_wheel_group_empty/bash/shared.sh
index 7ba3db7f17a..8cc2925c520 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_pam_wheel_group_empty/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_pam_wheel_group_empty/bash/shared.sh
@@ -7,4 +7,4 @@ if ! grep -q "^${var_pam_wheel_group_for_su}:[^:]*:[^:]*:[^:]*" /etc/group; then
 fi
 
 # group must be empty
-groupmems -g ${var_pam_wheel_group_for_su} -p
+sed -i -E "s/^(${var_pam_wheel_group_for_su}:[^:]*:[^:]*:)[^:]*/\1/g" /etc/group

From babf932837af58a21b8e125fb4c1486874664fe5 Mon Sep 17 00:00:00 2001
From: Marcus Burghardt <maburgha@redhat.com>
Date: Wed, 18 Oct 2023 15:45:12 +0200
Subject: [PATCH 2/3] Also remove groupmems from test scenario script

---
 .../tests/group_without_members.pass.sh                         | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_pam_wheel_group_empty/tests/group_without_members.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_pam_wheel_group_empty/tests/group_without_members.pass.sh
index 315dae0e801..425df7ce4a4 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_pam_wheel_group_empty/tests/group_without_members.pass.sh
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_pam_wheel_group_empty/tests/group_without_members.pass.sh
@@ -3,4 +3,4 @@
 
 GRP_NAME=sugroup
 groupadd ${GRP_NAME}
-groupmems -g ${GRP_NAME} -p
+sed -i -E "s/^(${GRP_NAME}:[^:]*:[^:]*:)[^:]*/\1/" /etc/group

From 6450fa72dd741746cd07b31776674635f94a5126 Mon Sep 17 00:00:00 2001
From: Marcus Burghardt <maburgha@redhat.com>
Date: Thu, 19 Oct 2023 08:42:47 +0200
Subject: [PATCH 3/3] Adopt gpasswd command for Bash remediation

Thanks @teacup-on-rockingchair for suggesting this command.
Also used the command in group_without_members.pass.sh test scenario.
It is intentional to not update the Ansible remediation since it would
demand to use the command module. But the gpasswd command doesn't have
different return codes to know when members were removed or not from the
group. It would make the Ansible task to be reported as changed always
or never, which may cause confusion.
---
 .../root_logins/ensure_pam_wheel_group_empty/bash/shared.sh     | 2 +-
 .../tests/group_without_members.pass.sh                         | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_pam_wheel_group_empty/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_pam_wheel_group_empty/bash/shared.sh
index 8cc2925c520..7bbfd767543 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_pam_wheel_group_empty/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_pam_wheel_group_empty/bash/shared.sh
@@ -7,4 +7,4 @@ if ! grep -q "^${var_pam_wheel_group_for_su}:[^:]*:[^:]*:[^:]*" /etc/group; then
 fi
 
 # group must be empty
-sed -i -E "s/^(${var_pam_wheel_group_for_su}:[^:]*:[^:]*:)[^:]*/\1/g" /etc/group
+gpasswd -M '' ${var_pam_wheel_group_for_su}
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_pam_wheel_group_empty/tests/group_without_members.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_pam_wheel_group_empty/tests/group_without_members.pass.sh
index 425df7ce4a4..0071cc9938a 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_pam_wheel_group_empty/tests/group_without_members.pass.sh
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_pam_wheel_group_empty/tests/group_without_members.pass.sh
@@ -3,4 +3,4 @@
 
 GRP_NAME=sugroup
 groupadd ${GRP_NAME}
-sed -i -E "s/^(${GRP_NAME}:[^:]*:[^:]*:)[^:]*/\1/" /etc/group
+gpasswd -M '' ${GRP_NAME}