mediumaccess-controlunverified
Ensure the su command requires wheel-group membership (pam_wheel)
pam-wheel-su-configured · RHEL ≥ 8 · 1 impl
Description
/etc/pam.d/su must contain `auth required pam_wheel.so use_uid` so that only members of the wheel group may use su. (STIG expects the wheel group to hold the authorized administrators — it does NOT require an empty wheel group; the empty-wheel form is the stricter CIS 5.2.7 variant, covered by pam-wheel-su.)
Rationale
Without pam_wheel, any user can attempt su to another account; restricting su to the wheel group limits privilege escalation to authorized administrators.
Check → Remediate
Checkcommand
grep -qE '^[[:space:]]*auth[[:space:]]+required[[:space:]]+pam_wheel\.so([[:space:]]|$).*use_uid|^[[:space:]]*auth[[:space:]]+required[[:space:]]+pam_wheel\.so[[:space:]]+use_uid' /etc/pam.d/su
- expected_exit:
- 0
Remediatepam_module_configure
- service:
- su
- module:
- pam_wheel.so
- type:
- auth
- control:
- required
- args:
- use_uid
Framework references
STIG
V-281205 / RHEL-10-600500V-258088 / RHEL-09-432035
NIST 800-53
AC-6
#pam#su#wheel#privilege-escalation#stig