Title

The system must restrict the ability to switch to the root user for members of a defined group. (Cat III impact)

Discussion

Configuring a supplemental group for users permitted to switch to the root user prevents unauthorized users from accessing the root account, even with knowledge of the root credentials.

Check Content

Consult vendor documentation to determine if a specific configuration setting is available to restrict the ability to switch to the root user. If there is, and this is not configured, this is a finding. If there is not specific configuration, verify su is group-owned by the group permitted to access root and has no other execute permission. Procedure: # ls -l /bin/su If the group owner is not the group permitted access to root, or if /bin/su is executable by other users, this is a finding.

Fix Text

If the OS has a specific configuration setting to restrict access to root to a particular group, configure this in accordance with vendor documentation. Otherwise, change the group ownership of su to the group permitted root access, and remove any other execute permission. Procedure: # chgrp <authorized group> /bin/su # chmod o-x /bin/su

Additional Identifiers

Rule ID: SV-26348r1_rule

Vulnerability ID: V-22308

Group Title: GEN000850

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.