Skip to content

Enforce usage of pam_wheel for su authentication

An XCCDF Rule

Description

To ensure that only users who are members of the wheel group can run commands with altered privileges through the su command, make sure that the following line exists in the file /etc/pam.d/su:

auth required pam_wheel.so use_uid

warning alert: Warning

Members of "wheel" or GID 0 groups are checked by default if the group option is not set for pam_wheel.so module. Therefore, members of these groups should be manually checked or a different group should be informed according to the site policy.

Rationale

The su program allows to run commands with a substitute user and group ID. It is commonly used to run commands as the root user. Limiting access to such command is considered a good security practice.

ID
xccdf_org.ssgproject.content_rule_use_pam_wheel_for_su
Severity
Medium
References
Updated



Remediation - Ansible

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - DISA-STIG-RHEL-09-432035
  - low_complexity

Remediation - Shell Script

# Remediation is applicable only in certain platforms
if rpm --quiet -q pam; then

# uncomment the option if commented
sed '/^[[:space:]]*#[[:space:]]*auth[[:space:]]\+required[[:space:]]\+pam_wheel\.so[[:space:]]\+use_uid$/s/^[[:space:]]*#//' -i /etc/pam.d/su