======5.6 Ensure access to the su command is restricted (Scored)======
=====Profile Applicability=====
Level 1 - Server
Level 1 - Workstation
=====Description=====
The ''su'' command allows a user to run a command or shell as another user. The program has been superseded by ''sudo'', which allows for more granular control over privileged access. Normally, the ''su'' command can be executed by any user. By uncommenting the ''pam_wheel.so'' statement in ''/etc/pam.d/su'', the ''su'' command will only allow users in the wheel group to execute ''su''.
=====Rationale=====
Restricting the use of ''su'', and using ''sudo'' in its place, provides system administrators better control of the escalation of user privileges to execute privileged commands. The sudo utility also provides a better logging and audit mechanism, as it can log each command executed via ''sudo'', whereas ''su'' can only record that a user executed the ''su'' program.
=====Audit=====
Run the following command and verify output includes matching line:
# grep pam_wheel.so /etc/pam.d/su
auth required pam_wheel.so use_uid
Run the following command and verify users in ''wheel'' group match site policy:
# grep wheel /etc/group
wheel:x:10:root,
=====Remediation=====
Add the following line to the ''/etc/pam.d/su'' file:
auth required pam_wheel.so use_uid
Create a comma separated list of users in the wheel statement in the ''/etc/group'' file:
wheel:x:10:root,