Ensure the Group Used by pam_wheel Module Exists on System and is Empty

Docs > Datadog Security > OOTB Rules > Ensure the Group Used by pam_wheel Module Exists on System and is Empty

Classification:

compliance

Framework:

Control:

Description

Ensure that the group sugroup referenced by the pam_wheel group parameter exists and has no members. This ensures that no user can run commands with altered privileges through the su command.

Rationale

The su program allows to run commands with a substitute user and group ID. It is commonly used to run commands as the root user. Limiting access to such command is considered a good security practice.

Remediation

Shell script

The following script can be run on the host to remediate the issue.

var\_pam\_wheel\_group\_for\_su='sugroup'


if ! grep -q "^${var\_pam\_wheel\_group\_for\_su}:[^:]\*:[^:]\*:[^:]\*" /etc/group; then
 groupadd ${var\_pam\_wheel\_group\_for\_su}
fi

# group must be empty
grp\_memb=$(groupmems -g ${var\_pam\_wheel\_group\_for\_su} -l)
if [ -n "${grp\_memb}" ]; then
 for memb in ${grp\_memb}; do
 deluser ${memb} ${var\_pam\_wheel\_group\_for\_su}
 done
fi