Profile Applicability:
• Level 1
Description:
The su command allows a user to switch to another user account, commonly to root. Restricting access to the su command limits who can perform privilege escalation, reducing the risk of unauthorized root access.
Rationale:
Controlling access to su helps enforce the principle of least privilege and prevents unauthorized users from gaining elevated access.
Impact:
Pros:
Enhances system security by limiting privilege escalation.
Supports accountability by restricting root access.
Cons:
May limit legitimate administrative access if not managed properly.
Default Value:
By default, access to su may be unrestricted or limited depending on system configuration.
Pre-requisites:
Root or sudo privileges to configure user group memberships and file permissions.
Remediation:
Test Plan:
Using Linux command line:
- Check the group ownership of the su binary:
ls -l /bin/su
Identify if su is restricted to a specific group (e.g., wheel or root).
Verify which users are members of the group allowed to use su:
getent group wheel
(Replace wheel with the appropriate group if different.)
Implementation Plan:
Using Linux command line:
1. Change group ownership of the su binary to a restricted group (e.g., wheel):
chgrp wheel /bin/su chmod 4750 /bin/su
2. Add authorized users to the restricted group:
usermod -aG wheel <username>
3. Verify permissions and group memberships.
Backout Plan:
Using Linux command line:
1. Revert su permissions and group ownership if necessary:
chgrp root /bin/su chmod 4755 /bin/su
2. Remove users from the restricted group if needed.
References:
CIS Amazon Linux 2 Benchmark v3.0.0
su Manual