Differences

This shows you the differences between two versions of the page.

Link to this comparison view

centos7:5:6 [2017/05/04 17:46] (current)
Line 1: Line 1:
 +======5.6 Ensure access to the su command is restricted (Scored)======
 +=====Profile Applicability=====  ​
 +<​code>​
 +Level 1 - Server
 +Level 1 - Workstation ​
 +</​code>​
  
 +=====Description=====
 +The ''​su''​ command allows a user to run a command or shell as another user. The program has been superseded by ''​sudo'',​ which allows for more granular control over privileged access. Normally, the ''​su''​ command can be executed by any user. By uncommenting the ''​pam_wheel.so''​ statement in ''/​etc/​pam.d/​su'',​ the ''​su''​ command will only allow users in the wheel group to execute ''​su''​.
 +
 +=====Rationale=====
 +Restricting the use of ''​su'',​ and using ''​sudo''​ in its place, provides system administrators better control of the escalation of user privileges to execute privileged commands. The sudo utility also provides a better logging and audit mechanism, as it can log each command executed via ''​sudo'',​ whereas ''​su''​ can only record that a user executed the ''​su''​ program.
 +
 +=====Audit===== ​
 +Run the following command and verify output includes matching line:
 +<​Code:​bash>​
 +# grep pam_wheel.so /​etc/​pam.d/​su ​
 +auth required pam_wheel.so use_uid
 +</​Code>​
 +Run the following command and verify users in ''​wheel''​ group match site policy:
 +<​Code:​bash>​
 +# grep wheel /​etc/​group ​
 +wheel:​x:​10:​root,<​user list>
 +</​Code>​
 +=====Remediation===== ​
 +Add the following line to the ''/​etc/​pam.d/​su''​ file:
 +<​Code:​bash>​
 +auth required pam_wheel.so use_uid
 +</​Code>​
 +Create a comma separated list of users in the wheel statement in the ''/​etc/​group''​ file:
 +<​Code:​bash>​
 +wheel:​x:​10:​root,<​user list>
 +</​Code>​