Table of Contents

5.6 Ensure access to the su command is restricted (Scored)

Profile Applicability

Level 1 - Server
Level 1 - Workstation 

Description

The su command allows a user to run a command or shell as another user. The program has been superseded by sudo, which allows for more granular control over privileged access. Normally, the su command can be executed by any user. By uncommenting the pam_wheel.so statement in /etc/pam.d/su, the su command will only allow users in the wheel group to execute su.

Rationale

Restricting the use of su, and using sudo in its place, provides system administrators better control of the escalation of user privileges to execute privileged commands. The sudo utility also provides a better logging and audit mechanism, as it can log each command executed via sudo, whereas su can only record that a user executed the su program.

Audit

Run the following command and verify output includes matching line:

# grep pam_wheel.so /etc/pam.d/su 
auth required pam_wheel.so use_uid

Run the following command and verify users in wheel group match site policy:

# grep wheel /etc/group 
wheel:x:10:root,<user list>

Remediation

Add the following line to the /etc/pam.d/su file:

auth required pam_wheel.so use_uid

Create a comma separated list of users in the wheel statement in the /etc/group file:

wheel:x:10:root,<user list>