Enforce Usage of pam_wheel with Group Parameter for su Authentication

An XCCDF Rule

Details
Profiles
Prose

Description

To ensure that only users who are members of the group set in the group option of pam_wheel.so module can run commands with altered privileges through the su command, make sure that the following line exists in the file /etc/pam.d/su:

auth required pam_wheel.so use_uid group=

warning alert: Warning

Note that ensure_pam_wheel_group_empty rule complements this requirement by ensuring the referenced group exists and has no members.

Rationale

The su program allows to run commands with a substitute user and group ID. It is commonly used to run commands as the root user. Limiting access to such command is considered a good security practice.

ID: xccdf_org.ssgproject.content_rule_use_pam_wheel_group_for_su
Severity: Medium
References: 2.2 2.2.6
Updated: 5 days ago