Skip to content

5.3.7 Ensure access to the su command is restricted

Audit#

Run the following command: 

# grep -Pi '^\h*auth\h+(?:required|requisite)\h+pam_wheel\.so\h+(?:[^#\n\r]+\h+)?((?!\2)(use_uid\b|group=\H+\b))\h+(?:[^#\n\r]+\h+)?((?!\1)(use_uid\b|group=\H+\b))(\h+.*)?$' /etc/pam.d/su

Verify the output matches: 

auth required pam_wheel.so use_uid group=<group_name>

Run the following command and verify that the group specified in contains no users: 

# grep <group_name> /etc/group

Verify the output does not contain any users in the relevant group: 

<group_name>:x:<GID>:

Remediation#

Create an empty group that will be specified for use of the su command. The group should be named according to site policy.

Example: 

# groupadd sugroup

Add the following line to the /etc/pam.d/su file, specifying the empty group: 

auth required pam_wheel.so use_uid group=sugroup