← Rules Catalog
mediumaccess-controlverified rollback-safe

Ensure access to the su command is restricted

pam-wheel-su · RHEL ≥ 8 · 1 impl

Description

Access to the su command must be restricted to the wheel group via pam_wheel.so, and the wheel group must have no members beyond those explicitly authorized. An empty wheel group is the most restrictive configuration, ensuring only root can use su.

Rationale

Unrestricted su access allows any user to attempt to become root, increasing brute-force attack surface. Requiring wheel group membership limits su to explicitly authorized users.

Check → Remediate

Checkcomposed · 2 sub-checks (all must pass)
1. command:
run=grep -qE '^\s*auth\s+required\s+pam_wheel\.so\s+use_uid' /etc/pam.d/su expected_exit=0
2. command:
run=members=$(getent group wheel | cut -d: -f4) if [ -n "$members" ]; then echo "FAIL: wheel group has members: $members" exit 1 fi echo "OK: wheel group is empty" expected_exit=0
Remediatepam_module_configure
service:
su
module:
pam_wheel.so
type:
auth
control:
required
args:
use_uid

Framework references

CIS

rhel9 5.2.7rhel8 5.2.7rhel10 5.2.7

NIST 800-53

AC-3AC-6

Live verification

rhel10:checkrhel8:checkrhel9:check
#pam#su#access-control