5.6 Ensure access to the su command is restricted - /etc/pam.d/su

Information

The su command allows a user to run a command or shell as another user. The program has been superseded by sudo , which allows for more granular control over privileged access. Normally, the su command can be executed by any user. By uncommenting the pam_wheel.so statement in /etc/pam.d/su , the su command will only allow users in the wheel group to execute su .

Rationale:

Restricting the use of su , and using sudo in its place, provides system administrators better control of the escalation of user privileges to execute privileged commands. The sudo utility also provides a better logging and audit mechanism, as it can log each command executed via sudo , whereas su can only record that a user executed the su program.

Solution

Add the following line to the /etc/pam.d/su file:

auth required pam_wheel.so use_uid
Create a comma separated list of users in the wheel statement in the /etc/group file:
wheel:x:10:root,<user list>

See Also

https://workbench.cisecurity.org/files/2449

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, CSCv7|5.1

Plugin: Unix

Control ID: 16d067c04be1c116d6d451e7058a87ea9a6cd01775f91146d1e84bfa2f3435d6