← Rules Catalog
mediumaccess-controlunverified

Ensure the su command requires wheel-group membership (pam_wheel)

pam-wheel-su-configured · RHEL ≥ 8 · 1 impl

Description

/etc/pam.d/su must contain `auth required pam_wheel.so use_uid` so that only members of the wheel group may use su. (STIG expects the wheel group to hold the authorized administrators — it does NOT require an empty wheel group; the empty-wheel form is the stricter CIS 5.2.7 variant, covered by pam-wheel-su.)

Rationale

Without pam_wheel, any user can attempt su to another account; restricting su to the wheel group limits privilege escalation to authorized administrators.

Check → Remediate

Checkcommand
grep -qE '^[[:space:]]*auth[[:space:]]+required[[:space:]]+pam_wheel\.so([[:space:]]|$).*use_uid|^[[:space:]]*auth[[:space:]]+required[[:space:]]+pam_wheel\.so[[:space:]]+use_uid' /etc/pam.d/su
expected_exit:
0
Remediatepam_module_configure
service:
su
module:
pam_wheel.so
type:
auth
control:
required
args:
use_uid

Framework references

STIG

V-281205 / RHEL-10-600500V-258088 / RHEL-09-432035

NIST 800-53

AC-6
#pam#su#wheel#privilege-escalation#stig