Enforce Usage of pam_wheel with Group Parameter for su Authentication
An XCCDF Rule
Description
To ensure that only users who are members of the group set in the group
option of
pam_wheel.so
module can run commands with altered privileges through the su
command, make sure that the following line exists in the file /etc/pam.d/su
:
auth required pam_wheel.so use_uid group=
warning alert: Warning
Note that
ensure_pam_wheel_group_empty
rule complements this requirement by
ensuring the referenced group exists and has no members.Rationale
The su
program allows to run commands with a substitute user and group ID.
It is commonly used to run commands as the root user.
Limiting access to such command is considered a good security practice.
- ID
- xccdf_org.ssgproject.content_rule_use_pam_wheel_group_for_su
- Severity
- Medium
- References
- Updated
Remediation - Ansible
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-86065-0
- PCI-DSSv4-2.2.6
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if rpm --quiet -q pam; then
var_pam_wheel_group_for_su='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_pam_wheel_group_for_su" use="legacy"/>'