5.7 Ensure access to the su command is restricted - wheel group contains root

Information

The su command allows a user to run a command or shell as another user. The program has been superseded by sudo , which allows for more granular control over privileged access. Normally, the su command can be executed by any user. By uncommenting the pam_wheel.so statement in /etc/pam.d/su , the su command will only allow users in the wheel group to execute su .

Rationale:

Restricting the use of su , and using sudo in its place, provides system administrators better control of the escalation of user privileges to execute privileged commands. The sudo utility also provides a better logging and audit mechanism, as it can log each command executed via sudo , whereas su can only record that a user executed the su program.

Solution

Add the following line to the /etc/pam.d/su file:

auth required pam_wheel.so use_uid

Create a comma separated list of users in the wheel statement in the /etc/group file:

wheel:x:10:root,<user list>

See Also

https://workbench.cisecurity.org/files/3144

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-2, CSCv6|5.1, CSCv7|4

Plugin: Unix

Control ID: bd68cf3fcd05613c2ddd278ad3786d54b9fa8fc8a42710bb16e55c4aae9bfbd2