Skip to content

Enforce Usage of pam_wheel with Group Parameter for su Authentication

An XCCDF Rule

Description

To ensure that only users who are members of the group set in the group option of pam_wheel.so module can run commands with altered privileges through the su command, make sure that the following line exists in the file /etc/pam.d/su:

auth required pam_wheel.so use_uid group=

warning alert: Warning

Note that ensure_pam_wheel_group_empty rule complements this requirement by ensuring the referenced group exists and has no members.

Rationale

The su program allows to run commands with a substitute user and group ID. It is commonly used to run commands as the root user. Limiting access to such command is considered a good security practice.

ID
xccdf_org.ssgproject.content_rule_use_pam_wheel_group_for_su
Severity
Medium
References
Updated



Remediation - Ansible

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-86065-0
  - PCI-DSSv4-2.2.6

Remediation - Shell Script

# Remediation is applicable only in certain platforms
if rpm --quiet -q pam; then

var_pam_wheel_group_for_su='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_pam_wheel_group_for_su" use="legacy"/>'