UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The system must restrict the ability to switch to the root user for members of a defined group.


Overview

Finding ID Version Rule ID IA Controls Severity
V-22308 GEN000850 SV-26348r1_rule ECLP-1 Low
Description
Configuring a supplemental group for users permitted to switch to the root user prevents unauthorized users from accessing the root account, even with knowledge of the root credentials.
STIG Date
UNIX SRG 2013-03-26

Details

Check Text ( C-27455r1_chk )
Consult vendor documentation to determine if a specific configuration setting is available to restrict the ability to switch to the root user. If there is, and this is not configured, this is a finding.

If there is not specific configuration, verify su is group-owned by the group permitted to access root and has no other execute permission.

Procedure:
# ls -l /bin/su

If the group owner is not the group permitted access to root, or if /bin/su is executable by other users, this is a finding.
Fix Text (F-23524r1_fix)
If the OS has a specific configuration setting to restrict access to root to a particular group, configure this in accordance with vendor documentation.

Otherwise, change the group ownership of su to the group permitted root access, and remove any other execute permission.

Procedure:
# chgrp /bin/su
# chmod o-x /bin/su