5.6 Ensure access to the su command is restricted - wheel group contains root

Information

The su command allows a user to run a command or shell as another user. The program
has been superseded by sudo , which allows for more granular control over privileged
access. Normally, the su command can be executed by any user. By uncommenting the
pam_wheel.so statement in /etc/pam.d/su , the su command will only allow users in the
wheel group to execute su .

Rationale:

Restricting the use of su , and using sudo in its place, provides system administrators better
control of the escalation of user privileges to execute privileged commands. The sudo utility
also provides a better logging and audit mechanism, as it can log each command executed
via sudo , whereas su can only record that a user executed the su program.

Solution

Add the following line to the /etc/pam.d/su file:

auth required pam_wheel.so use_uid

Create a comma separated list of users in the wheel statement in the /etc/group file:

wheel:x:10:root,<user list>

See Also

https://workbench.cisecurity.org/files/2420

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, CSCv6|5.1, CSCv7|5.1

Plugin: Unix

Control ID: b4e48c369245e461bcd37de3cb2ab33f9d58c9d8542cbf47ba651e59504c823f