Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
The system must restrict the ability to switch to the root user for members of a defined group.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-22308 | GEN000850 | SV-26348r1_rule | ECLP-1 | Low |
| Description |
|---|
| Configuring a supplemental group for users permitted to switch to the root user prevents unauthorized users from accessing the root account, even with knowledge of the root credentials. |
| STIG | Date |
|---|---|
| UNIX SRG | 2013-03-26 |
Details
| Check Text ( C-27455r1_chk ) |
|---|
| Consult vendor documentation to determine if a specific configuration setting is available to restrict the ability to switch to the root user. If there is, and this is not configured, this is a finding. If there is not specific configuration, verify su is group-owned by the group permitted to access root and has no other execute permission. Procedure: # ls -l /bin/su If the group owner is not the group permitted access to root, or if /bin/su is executable by other users, this is a finding. |
| Fix Text (F-23524r1_fix) |
|---|
| If the OS has a specific configuration setting to restrict access to root to a particular group, configure this in accordance with vendor documentation. Otherwise, change the group ownership of su to the group permitted root access, and remove any other execute permission. Procedure: # chgrp # chmod o-x /bin/su |