Information
Restricts access to root via su to members of a specific group.
Rationale:
Setting the sugroups attribute to system ensures that only members of the system group are able to su root. This makes it more difficult for an attacker to use a stolen root password as the attacker first has to get access to a system user ID.
Impact:
In this recommendation we specify the group system in order to leave this recommendation as a Level 1, IG1 recommendation.
Further, as IG1 recommendation - we permit the attribute login to be true, to permit direct root login using an HMC.
A higher level of security would create a new group - specific for su to root and that group name would be used in the specification.
Thus, the Remediation procedure below specifies system as the correct group name. This is merely an initial solution.
In any case, sugroups should not equal ALL.
Solution
In /etc/security/user, set the root stanza sugroups attribute to system:
chuser login=true rlogin=false su=true sugroups=system root
Default Value:
root login=true rlogin=true sugroups=ALL su=true