RHEL 10 must restrict the use of the "su" command.

STIG ID: RHEL-10-600500  |  SRG: SRG-OS-000373-GPOS-00156 |  Severity: medium (CAT II)  |  CCI: CCI-002038,CCI-002165 |  Vulnerability Id: V-281205

Vulnerability Discussion

The "su" program allows commands to be run with a substitute user and group ID. It is commonly used to run commands as the root user. Limiting access to such commands is considered a good security practice.

Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000312-GPOS-00123

Check

Verify RHEL 10 requires users to be members of the "wheel" group to run "su".

Verify the configuration with the following command:

$ sudo grep pam_wheel /etc/pam.d/su
auth required pam_wheel.so use_uid

If a line for "pam_wheel.so" does not exist or is commented out, this is a finding.

Fix

Configure RHEL 10 to require users to be in the "wheel" group to run the "su" command.

Edit the configuration file:

$ sudo vi /etc/pam.d/su

Add the following lines:

auth required pam_wheel.so use_uid
$ sed '/^[[:space:]]*#[[:space:]]*auth[[:space:]]\+required[[:space:]]\+pam_wheel\.so[[:space:]]\+use_uid$/s/^[[:space:]]*#//' -i /etc/pam.d/su

If necessary, create a "wheel" group and add administrative users to the group.
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.