mediumaccess-controlverified ✓rollback-safe
Ensure access to the su command is restricted
pam-wheel-su · RHEL ≥ 8 · 1 impl
Description
Access to the su command must be restricted to the wheel group via pam_wheel.so, and the wheel group must have no members beyond those explicitly authorized. An empty wheel group is the most restrictive configuration, ensuring only root can use su.
Rationale
Unrestricted su access allows any user to attempt to become root, increasing brute-force attack surface. Requiring wheel group membership limits su to explicitly authorized users.
Check → Remediate
Checkcomposed · 2 sub-checks (all must pass)
- 1. command:
- run=grep -qE '^\s*auth\s+required\s+pam_wheel\.so\s+use_uid' /etc/pam.d/su expected_exit=0
- 2. command:
- run=members=$(getent group wheel | cut -d: -f4) if [ -n "$members" ]; then echo "FAIL: wheel group has members: $members" exit 1 fi echo "OK: wheel group is empty" expected_exit=0
Remediatepam_module_configure
- service:
- su
- module:
- pam_wheel.so
- type:
- auth
- control:
- required
- args:
- use_uid
Framework references
CIS
rhel9 5.2.7rhel8 5.2.7rhel10 5.2.7
NIST 800-53
AC-3AC-6
Live verification
rhel10:checkrhel8:checkrhel9:check
#pam#su#access-control