{"description": "To ensure that only users who are members of the group set in the <tt>group</tt> option of\n<tt>pam_wheel.so</tt> module can run commands with altered privileges through the <tt>su</tt>\ncommand, make sure that the following line exists in the file <tt>/etc/pam.d/su</tt>:\n<pre>auth required pam_wheel.so use_uid group=<sub idref=\"var_pam_wheel_group_for_su\" /></pre>", "rationale": "The <tt>su</tt> program allows to run commands with a substitute user and group ID.\nIt is commonly used to run commands as the root user.\nLimiting access to such command is considered a good security practice.", "severity": "medium", "references": {"cis": ["5.2.7"], "pcidss4": ["2.2.6", "2.2"]}, "control_references": {"cis": ["5.2.7"], "pcidss4": ["2.2.6", "2.2"]}, "components": [], "identifiers": {}, "ocil_clause": "the line is not in the file or it is commented", "ocil": "Run the following command to check if the line is present:\n<pre>grep pam_wheel /etc/pam.d/su</pre>\nThe output should contain the following line:\n<pre>auth required pam_wheel.so use_uid group=<sub idref=\"var_pam_wheel_group_for_su\" /></pre>", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [{"general": "Note that <tt>ensure_pam_wheel_group_empty</tt> rule complements this requirement by\nensuring the referenced group exists and has no members."}], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": "package[pam]", "platforms": ["package[pam]"], "sce_metadata": {}, "inherited_platforms": [], "cpe_platform_names": ["package_pam"], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Enforce Usage of pam_wheel with Group Parameter for su Authentication", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/rule.yml", "template": null}