Amazon Linux 2023 must restrict the use of the "su" command.

STIG ID: AZLX-23-002440  |  SRG: SRG-OS-000312-GPOS-00123 |  Severity: medium (CAT II)  |  CCI: CCI-002165 |  Vulnerability Id: V-274151

Vulnerability Discussion

The "su" program allows to run commands with a substitute user and group ID. It is commonly used to run commands as the root user. Limiting access to such commands is considered a good security practice.

Check

Verify Amazon Linux 2023 requires uses to be members of the "wheel" group with the following command:

$ grep pam_wheel /etc/pam.d/su
auth required pam_wheel.so use_uid

If a line for "pam_wheel.so" does not exist, or is commented out, this is a finding.

Fix

Configure Amazon Linux 2023 to require users to be in the "wheel" group to run "su" command.

In file "/etc/pam.d/su", uncomment the following line:

"#auth required pam_wheel.so use_uid"

$ sudo sed '/^[[:space:]]*#[[:space:]]*auth[[:space:]]\+required[[:space:]]\+pam_wheel\.so[[:space:]]\+use_uid$/s/^[[:space:]]*#//' -i /etc/pam.d/su

If necessary, create a "wheel" group and add administrative users to the group.
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.