RHEL 9 must restrict the use of the "su" command.

STIG ID: RHEL-09-432035  |  SRG: SRG-OS-000373-GPOS-00156 | Severity: medium |  CCI: CCI-004895,CCI-002165

Vulnerability Discussion

The "su" program allows to run commands with a substitute user and group ID. It is commonly used to run commands as the root user. Limiting access to such commands is considered a good security practice.

Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000312-GPOS-00123

Check

Verify that RHEL 9 requires uses to be members of the "wheel" group with the following command:

$ grep pam_wheel /etc/pam.d/su

auth required pam_wheel.so use_uid

If a line for "pam_wheel.so" does not exist, or is commented out, this is a finding.

Fix

Configure RHEL 9 to require users to be in the "wheel" group to run "su" command.

In file "/etc/pam.d/su", uncomment the following line:

"#auth required pam_wheel.so use_uid"

$ sed '/^[[:space:]]*#[[:space:]]*auth[[:space:]]\+required[[:space:]]\+pam_wheel\.so[[:space:]]\+use_uid$/s/^[[:space:]]*#//' -i /etc/pam.d/su

If necessary, create a "wheel" group and add administrative users to the group.
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.