Is test 5.6 incomplete?

[jvleminc]

Not sure if placing the root user in the sudo group is sufficient to restrict su access.

# 5.6 Ensure access to the su command is restricted
# Restricting the use of su , and using sudo in its place, provides system administrators better control of the escalation of user privileges to execute privileged commands. The sudo utility also provides a better logging and audit mechanism, as it can log each command executed via sudo , whereas su can only record that a user executed the su program.
- name: 5.6 Ensure access to the su command is restricted
  user:
    name: "root"
    groups: ["sudo"]

Other manuals state:
Solution: Create an empty group that will be specified for use of the su command. The group should be named according to site policy.

groupadd sugroup

Add the following line to the /etc/pam.d/su file, specifying the empty group:

auth required pam_wheel.so use_uid group=sugroup

[alivx]

Restricting the use of su, and using sudo in its place, provides system administrators better control of the escalation of user privileges to execute privileged commands. The sudo utility also provides a better logging and audit mechanism, as it can log each command executed via sudo, whereas su can only record that a user executed the su program.

https://linux.die.net/man/8/pam_wheel

Here an exmaple for centos7, I will check it if it work on Ubuntu.
https://secscan.acron.pl/centos7/5/6

BTW @jvleminc , currently i'm working 'cis-red-hat-enterprise-linux-8-rhel-benchmark' repo, I may need your help with it :)

[jvleminc]

Hmmm, I didn't understand your answer :-(

Did you confirm that the task is incomplete and can/should be completed with the pam_wheel commands?

(My company is not working with RedHat, so no real interest from my side, sorry :-))

[alivx]

I'm not sure what should I do with task 5.6,
but, I agree with your suggestion.

[jvleminc]

I will have a look, I also don't really understand how to implement this. :-/

[alivx]

Don't worry, I will dig deep with this task in order to implement it, will update you once I finish

[jvleminc]

@alivx Could you have a look?

[alivx]

Please check this PR: #28
Let me know your feedback

FYI:
https://www.thegeekdiary.com/how-to-restrict-su-access-to-a-user-only-by-pam/

[jvleminc]

PR merged, will lock this thread.