Enforce usage of pam_wheel for su authentication
An XCCDF Rule
Description
To ensure that only users who are members of the wheel
group can
run commands with altered privileges through the su
command, make
sure that the following line exists in the file /etc/pam.d/su
:
auth required pam_wheel.so use_uid
warning alert: Warning
Members of "wheel" or GID 0 groups are checked by default if the group option is not set
for pam_wheel.so module. Therefore, members of these groups should be manually checked or
a different group should be informed according to the site policy.
Rationale
The su
program allows to run commands with a substitute user and
group ID. It is commonly used to run commands as the root user. Limiting
access to such command is considered a good security practice.
- ID
- xccdf_org.ssgproject.content_rule_use_pam_wheel_for_su
- Severity
- Medium
- Updated
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if rpm --quiet -q pam; then
# uncomment the option if commented
sed '/^[[:space:]]*#[[:space:]]*auth[[:space:]]\+required[[:space:]]\+pam_wheel\.so[[:space:]]\+use_uid$/s/^[[:space:]]*#//' -i /etc/pam.d/su
Remediation - Ansible
- name: Gather the package facts
package_facts:
manager: auto
tags:
- low_complexity
- low_disruption