The system must restrict the ability to switch to the root user for members of a defined group.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-22308	GEN000850	SV-26348r1_rule	ECLP-1	Low

Description
Configuring a supplemental group for users permitted to switch to the root user prevents unauthorized users from accessing the root account, even with knowledge of the root credentials.

STIG	Date
VMware ESX 3 Server	2016-05-13

Details

Check Text ( C-27455r1_chk )
Consult vendor documentation to determine if a specific configuration setting is available to restrict the ability to switch to the root user. If there is, and this is not configured, this is a finding. If there is not specific configuration, verify su is group-owned by the group permitted to access root and has no other execute permission. Procedure: # ls -l /bin/su If the group owner is not the group permitted access to root, or if /bin/su is executable by other users, this is a finding.

Check Text ( C-27455r1_chk )

Consult vendor documentation to determine if a specific configuration setting is available to restrict the ability to switch to the root user. If there is, and this is not configured, this is a finding.

If there is not specific configuration, verify su is group-owned by the group permitted to access root and has no other execute permission.

Procedure:
# ls -l /bin/su

If the group owner is not the group permitted access to root, or if /bin/su is executable by other users, this is a finding.

Fix Text (F-23524r1_fix)
If the OS has a specific configuration setting to restrict access to root to a particular group, configure this in accordance with vendor documentation. Otherwise, change the group ownership of su to the group permitted root access, and remove any other execute permission. Procedure: # chgrp /bin/su # chmod o-x /bin/su