Skip to content

DLPX-86535 CIS: restrict access to su command #469

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Dec 17, 2023
Merged

DLPX-86535 CIS: restrict access to su command #469

merged 2 commits into from
Dec 17, 2023

Conversation

rupalimatkar
Copy link
Contributor

@rupalimatkar rupalimatkar commented Dec 7, 2023
edited
Loading

Problem

Status of the pam module 'pam_wheel.so' setting in PAM configuration file '/etc/pam.d/ su'

The 'su' (switch user) command in '/etc/pam.d/su' allows a user to run a shell or execute commands 
using a different user/group ID, which also provides the privileges of that user. As there are well known 
privilege escalation risks and a lack of granular logging and auditing while using 'su', this module 
should be configured according to the needs of the business. 
NOTE: A comma-separated 'user list' should be reviewed and approved in the 'wheel statement' 
within the '/etc/group' file, according to the CIS Benchmark, should be completed.

Remediation: # Edit file '/etc/pam.d/su' to add or uncomment the 'pam_wheel.so' statement to 
allow only users which are in the wheel group to execute su according to the business needs 
and organization's security policies. auth <required|requisite> pam_wheel.so

# Example
auth required pam_wheel.so

Solution

  • Updated /etc/pam.d/su file to restrict access to su command by uncommenting auth required pam_wheel.so in the file.
  • Validated sudo su woks fine with this code change.

Testing Done

http://selfservice.jenkins.delphix.com/job/appliance-build-orchestrator-pre-push/7619/ - Successful

@rupalimatkar rupalimatkar force-pushed the dlpx/pr/rupalimatkar/4d6c82a6-f958-4d65-88c5-7372817b8fd6 branch 2 times, most recently from 59b9ada to a73bf9e Compare December 7, 2023 10:16
@rupalimatkar rupalimatkar force-pushed the dlpx/pr/rupalimatkar/4d6c82a6-f958-4d65-88c5-7372817b8fd6 branch from a73bf9e to bca3262 Compare December 7, 2023 10:17
@rupalimatkar rupalimatkar self-assigned this Dec 8, 2023
@rupalimatkar rupalimatkar marked this pull request as ready for review December 14, 2023 09:04
@rupalimatkar rupalimatkar marked this pull request as draft December 14, 2023 09:05
@rupalimatkar rupalimatkar marked this pull request as ready for review December 14, 2023 09:06
@rupalimatkar rupalimatkar requested a review from sebroy December 15, 2023 05:10
@rupalimatkar rupalimatkar merged commit 3156b5f into develop Dec 17, 2023
@rupalimatkar rupalimatkar deleted the dlpx/pr/rupalimatkar/4d6c82a6-f958-4d65-88c5-7372817b8fd6 branch December 17, 2023 15:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sebroy sebroy sebroy approved these changes

@VenkatanadhanG VenkatanadhanG VenkatanadhanG approved these changes

@dbshah12 dbshah12 Awaiting requested review from dbshah12

Assignees

@rupalimatkar rupalimatkar

Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@rupalimatkar @sebroy @VenkatanadhanG