The system must restrict the ability to switch to the root user for members of a defined group.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-22308	GEN000850	SV-26348r1_rule	ECLP-1	Low

Description
Configuring a supplemental group for users permitted to switch to the root user prevents unauthorized users from accessing the root account, even with knowledge of the root credentials.

STIG	Date
UNIX SRG	2013-03-26

Details

Check Text ( C-27455r1_chk )
Consult vendor documentation to determine if a specific configuration setting is available to restrict the ability to switch to the root user. If there is, and this is not configured, this is a finding. If there is not specific configuration, verify su is group-owned by the group permitted to access root and has no other execute permission. Procedure: # ls -l /bin/su If the group owner is not the group permitted access to root, or if /bin/su is executable by other users, this is a finding.

Check Text ( C-27455r1_chk )

Consult vendor documentation to determine if a specific configuration setting is available to restrict the ability to switch to the root user. If there is, and this is not configured, this is a finding.

If there is not specific configuration, verify su is group-owned by the group permitted to access root and has no other execute permission.

Procedure:
# ls -l /bin/su

If the group owner is not the group permitted access to root, or if /bin/su is executable by other users, this is a finding.

Fix Text (F-23524r1_fix)
If the OS has a specific configuration setting to restrict access to root to a particular group, configure this in accordance with vendor documentation. Otherwise, change the group ownership of su to the group permitted root access, and remove any other execute permission. Procedure: # chgrp /bin/su # chmod o-x /bin/su