{"description": "To ensure that only users who are members of the <tt>wheel</tt> group can\nrun commands with altered privileges through the <tt>su</tt> command, make\nsure that the following line exists in the file <tt>/etc/pam.d/su</tt>:\n<pre>auth required pam_wheel.so use_uid</pre>", "rationale": "The <tt>su</tt> program allows to run commands with a substitute user and\ngroup ID. It is commonly used to run commands as the root user. Limiting\naccess to such command is considered a good security practice.", "severity": "medium", "references": {"ospp": ["FMT_SMF_EXT.1.1"], "srg": ["SRG-OS-000373-GPOS-00156", "SRG-OS-000312-GPOS-00123"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "the line is not in the file or it is commented", "ocil": "Run the following command to check if the line is present:\n<pre>grep pam_wheel /etc/pam.d/su</pre>\nThe output should contain the following line:\n<pre>auth required pam_wheel.so use_uid</pre>", "oval_external_content": null, "fixtext": "Configure Ubuntu 22.04 to require users to be in the \"wheel\" group to run \"su\" command.\n\nIn file \"/etc/pam.d/su\", uncomment the following line:\n\n\"#auth required pam_wheel.so use_uid\"\n\n$ sed '/^[[:space:]]*#[[:space:]]*auth[[:space:]]\\+required[[:space:]]\\+pam_wheel\\.so[[:space:]]\\+use_uid$/s/^[[:space:]]*#//' -i /etc/pam.d/su\n\nIf necessary, create a \"wheel\" group and add administrative users to the group.", "checktext": "", "vuldiscussion": "Without re-authentication, users may access resources or perform tasks for which they do not have authorization.\nWhen operating systems provide the capability to escalate a functional capability, it is critical the user re-authenticate.", "srg_requirement": "Ubuntu 22.04 Must Require Users To Re-Authenticate For Privilege Escalation.", "warnings": [{"general": "Members of \"wheel\" or GID 0 groups are checked by default if the group option is not set\nfor pam_wheel.so module. Therefore, members of these groups should be manually checked or\na different group should be informed according to the site policy."}], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must restrict the use of the \"su\" command.", "vuldiscussion": "The \"su\" program allows to run commands with a substitute user and group ID. It is commonly used to run commands as the root user. Limiting access to such commands is considered a good security practice.", "checktext": "Verify that Ubuntu 22.04 requires uses to be members of the \"wheel\" group with the following command:\n\n$ grep pam_wheel /etc/pam.d/su\n\nauth             required        pam_wheel.so use_uid\n\nIf a line for \"pam_wheel.so\" does not exist, or is commented out, this is a finding.", "fixtext": "Configure Ubuntu 22.04 to require users to be in the \"wheel\" group to run \"su\" command.\n\nIn file \"/etc/pam.d/su\", uncomment the following line:\n\n\"#auth    required    pam_wheel.so use_uid\"\n\n$ sed '/^[[:space:]]*#[[:space:]]*auth[[:space:]]\\+required[[:space:]]\\+pam_wheel\\.so[[:space:]]\\+use_uid$/s/^[[:space:]]*#//' -i /etc/pam.d/su\n\nIf necessary, create a \"wheel\" group and add administrative users to the group."}}, "platform": "package[pam]", "platforms": ["package[pam]"], "sce_metadata": {}, "inherited_platforms": [], "cpe_platform_names": ["package_pam"], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Enforce usage of pam_wheel for su authentication", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml", "template": null}