3.9 Ensure root access is controlled - sugroups

Information

Restricts access to root via su to members of a specific group.

Rationale:

Setting the sugroups attribute to system ensures that only members of the system group are able to su root. This makes it more difficult for an attacker to use a stolen root password as the attacker first has to get access to a system user ID.

Impact:

In this recommendation we specify the group system in order to leave this recommendation as a Level 1, IG1 recommendation.

Further, as IG1 recommendation - we permit the attribute login to be true, to permit direct root login using an HMC.

A higher level of security would create a new group - specific for su to root and that group name would be used in the specification.

Thus, the Remediation procedure below specifies system as the correct group name. This is merely an initial solution.

In any case, sugroups should not equal ALL.

Solution

In /etc/security/user, set the root stanza sugroups attribute to system:

chuser login=true rlogin=false su=true sugroups=system root

Default Value:

root login=true rlogin=true sugroups=ALL su=true

See Also

https://workbench.cisecurity.org/files/4119

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: Unix

Control ID: f8ec3ff4a58030e1d171ff983e1a27102955f4b6d20f4b7ee276828e5a4ef032