Enforce Usage of pam_wheel with Group Parameter for su Authentication
Description
To ensure that only users who are members of the group set in the
group pam_wheel parameter can run commands with altered
privileges through the su command, make sure that the
following line exists in the file /etc/pam.d/su:
auth required pam_wheel.so use_uid group=sugroup
Rationale
The su program allows to run commands with a substitute
user and group ID. It is commonly used to run commands as the root
user. Limiting access to such command is considered a good security
practice.
Shell script
The following script can be run on the host to remediate the issue.
var\_pam\_wheel\_group\_for\_su='sugroup'
PAM\_CONF=/etc/pam.d/su
pamstr=$(grep -P '^auth\s+required\s+pam\_wheel\.so\s+(?=[^#]\*\buse\_uid\b)(?=[^#]\*\bgroup=)' ${PAM\_CONF})
if [ -z "$pamstr" ]; then
sed -Ei '/^auth\b.\*\brequired\b.\*\bpam\_wheel\.so/d' ${PAM\_CONF} # remove any remaining uncommented pam\_wheel.so line
sed -Ei "/^auth\s+sufficient\s+pam\_rootok\.so.\*$/a auth required pam\_wheel.so use\_uid group=${var\_pam\_wheel\_group\_for\_su}" ${PAM\_CONF}
else
group\_val=$(echo -n "$pamstr" | egrep -o '\bgroup=[\_a-z][-0-9\_a-z]\*' | cut -d '=' -f 2)
if [ -z "${group\_val}" ] || [ ${group\_val} != ${var\_pam\_wheel\_group\_for\_su} ]; then
sed -Ei "s/(^auth\s+required\s+pam\_wheel.so\s+[^#]\*group=)[\_a-z][-0-9\_a-z]\*/\1${var\_pam\_wheel\_group\_for\_su}/" ${PAM\_CONF}
fi
fi
