diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_pam_wheel_group_empty/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_pam_wheel_group_empty/bash/shared.sh
new file mode 100644
index 00000000000..fc8709ade0d
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_pam_wheel_group_empty/bash/shared.sh
@@ -0,0 +1,15 @@
+# platform = multi_platform_ubuntu
+
+{{{ bash_instantiate_variables("var_pam_wheel_group_for_su") }}}
+
+if ! grep -q "^${var_pam_wheel_group_for_su}:[^:]*:[^:]*:[^:]*" /etc/group; then
+ groupadd ${var_pam_wheel_group_for_su}
+fi
+
+# group must be empty
+grp_memb=$(groupmems -g ${var_pam_wheel_group_for_su} -l)
+if [ -n "${grp_memb}" ]; then
+ for memb in ${grp_memb}; do
+ deluser ${memb} ${var_pam_wheel_group_for_su}
+ done
+fi
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_pam_wheel_group_empty/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_pam_wheel_group_empty/oval/shared.xml
new file mode 100644
index 00000000000..a693db7339f
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_pam_wheel_group_empty/oval/shared.xml
@@ -0,0 +1,32 @@
+
+
+ {{{ oval_metadata("Group referred by variable var_pam_wheel_group_for_su exists and has no members.") }}}
+
+
+
+
+
+
+
+
+
+
+
+ /etc/group
+ ^([^:]+):[^:]+:[0-9]+:\s*$
+ 1
+
+
+
+
+
+
+
+
+
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_pam_wheel_group_empty/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_pam_wheel_group_empty/rule.yml
new file mode 100644
index 00000000000..ce158a9b3c4
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_pam_wheel_group_empty/rule.yml
@@ -0,0 +1,31 @@
+documentation_complete: true
+
+prodtype: ubuntu2004,ubuntu2204
+
+title: 'Ensure the Group Used by pam_wheel Module Exists on System and is Empty'
+
+description: |-
+ Ensure that the group {{{ xccdf_value("var_pam_wheel_group_for_su") }}}
+ referenced by the pam_wheel group parameter exists and has no
+ members. This ensures that no user can run commands with altered
+ privileges through the su command.
+
+rationale: |-
+ The su program allows to run commands with a substitute user and
+ group ID. It is commonly used to run commands as the root user. Limiting
+ access to such command is considered a good security practice.
+
+severity: medium
+
+references:
+ cis@ubuntu2004: '5.6'
+ cis@ubuntu2204: 5.3.7
+
+ocil_clause: 'group {{{ var_pam_wheel_group_for_su }}} exists and has no user members'
+
+ocil: |-
+ Run the following command to check if the group {{{ var_pam_wheel_group_for_su }}}
+ exists:
+ grep {{{ var_pam_wheel_group_for_su }}} /etc/group
+ The output should contain the following line:
+ {{{ var_pam_wheel_group_for_su }}}:x:
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_pam_wheel_group_empty/tests/correct.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_pam_wheel_group_empty/tests/correct.pass.sh
new file mode 100644
index 00000000000..36e59990701
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_pam_wheel_group_empty/tests/correct.pass.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+# variables = var_pam_wheel_group_for_su=sugroup
+
+GRP_NAME=sugroup
+
+groupadd ${GRP_NAME}
+
+# group must be empty
+grp_memb=$(groupmems -g ${GRP_NAME} -l)
+if [ -n "${grp_memb}" ]; then
+ for memb in ${grp_memb}; do
+ deluser ${memb} ${GRP_NAME}
+ done
+fi
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_pam_wheel_group_empty/tests/group_has_users.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_pam_wheel_group_empty/tests/group_has_users.fail.sh
new file mode 100644
index 00000000000..c13c869ef1e
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_pam_wheel_group_empty/tests/group_has_users.fail.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+# variables = var_pam_wheel_group_for_su=sugroup
+
+GRP_NAME=sugroup
+
+groupadd ${GRP_NAME}
+
+
+useradd -m -U testuser1
+useradd -m -U testuser2
+
+usermod -G ${GRP_NAME} -a testuser1
+usermod -G ${GRP_NAME} -a testuser2
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_pam_wheel_group_empty/tests/no_group.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_pam_wheel_group_empty/tests/no_group.fail.sh
new file mode 100644
index 00000000000..ebcfd85a067
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_pam_wheel_group_empty/tests/no_group.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# variables = var_pam_wheel_group_for_su=sugroup
+
+if grep -q sugroup /etc/group; then
+ groupdel -f sugroup
+fi
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml
index e04d595a751..2254d4d5a1c 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15
title: 'Enforce usage of pam_wheel for su authentication'
@@ -32,8 +32,6 @@ references:
cis@rhel9: 5.3.7
cis@sle12: "5.6"
cis@sle15: "5.6"
- cis@ubuntu2004: "5.6"
- cis@ubuntu2204: "5.6"
ospp: FMT_SMF_EXT.1.1
pcidss: Req-8.6.1
srg: 'SRG-OS-000373-GPOS-00156,SRG-OS-000312-GPOS-00123'
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/bash/shared.sh
new file mode 100644
index 00000000000..f6be683799c
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/bash/shared.sh
@@ -0,0 +1,15 @@
+# platform = multi_platform_ubuntu
+{{{ bash_instantiate_variables("var_pam_wheel_group_for_su") }}}
+
+PAM_CONF=/etc/pam.d/su
+
+pamstr=$(grep -P '^auth\s+required\s+pam_wheel\.so\s+(?=[^#]*\buse_uid\b)(?=[^#]*\bgroup=)' ${PAM_CONF})
+if [ -z "$pamstr" ]; then
+ sed -Ei '/^auth\b.*\brequired\b.*\bpam_wheel\.so/d' ${PAM_CONF} # remove any remaining uncommented pam_wheel.so line
+ sed -Ei "/^auth\s+sufficient\s+pam_rootok\.so.*$/a auth required pam_wheel.so use_uid group=${var_pam_wheel_group_for_su}" ${PAM_CONF}
+else
+ group_val=$(echo -n "$pamstr" | egrep -o '\bgroup=[_a-z][-0-9_a-z]*' | cut -d '=' -f 2)
+ if [ -z "${group_val}" ] || [ ${group_val} != ${var_pam_wheel_group_for_su} ]; then
+ sed -Ei "s/(^auth\s+required\s+pam_wheel.so\s+[^#]*group=)[_a-z][-0-9_a-z]*/\1${var_pam_wheel_group_for_su}/" ${PAM_CONF}
+ fi
+fi
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/oval/shared.xml
new file mode 100644
index 00000000000..22968242b17
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/oval/shared.xml
@@ -0,0 +1,31 @@
+
+
+ {{{ oval_metadata("Only members of the group set in variable 'var_pam_wheel_group_for_su' should be able to authenticate through the su command.") }}}
+
+
+
+
+
+
+
+
+
+
+
+ /etc/pam.d/su
+ ^\s*auth\s+required\s+pam_wheel\.so\s+(?=[^#]*\buse_uid\b)[^#]*\bgroup=([_a-z][-0-9_a-z]*)
+ 1
+
+
+
+
+
+
+
+
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/rule.yml
new file mode 100644
index 00000000000..fa8d04ddc51
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/rule.yml
@@ -0,0 +1,32 @@
+documentation_complete: true
+
+prodtype: ubuntu2004,ubuntu2204
+
+title: 'Enforce Usage of pam_wheel with Group Parameter for su Authentication'
+
+description: |-
+ To ensure that only users who are members of the group set in the
+ group pam_wheel parameter can run commands with altered
+ privileges through the su command, make sure that the
+ following line exists in the file /etc/pam.d/su:
+ auth required pam_wheel.so use_uid group={{{ xccdf_value("var_pam_wheel_group_for_su") }}}
+
+rationale: |-
+ The su program allows to run commands with a substitute
+ user and group ID. It is commonly used to run commands as the root
+ user. Limiting access to such command is considered a good security
+ practice.
+
+severity: medium
+
+references:
+ cis@ubuntu2004: '5.6'
+ cis@ubuntu2204: 5.3.7
+
+ocil_clause: 'the line is not in the file or it is commented'
+
+ocil: |-
+ Run the following command to check if the line is present:
+ grep pam_wheel /etc/pam.d/su
+ The output should contain the following line:
+ auth required pam_wheel.so use_uid group={{{ xccdf_value("var_pam_wheel_group_for_su") }}}
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/tests/correct.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/tests/correct.pass.sh
new file mode 100644
index 00000000000..9528fbd12a2
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/tests/correct.pass.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+# variables = var_pam_wheel_group_for_su=sugroup
+
+# remove any remaining uncommented pam_wheel.so line
+sed -Ei '/^auth\b.*\brequired\b.*\bpam_wheel\.so/d' /etc/pam.d/su
+
+#apply correct line
+echo "auth required pam_wheel.so use_uid group=sugroup" >> /etc/pam.d/su
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/tests/line_commented.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/tests/line_commented.fail.sh
new file mode 100644
index 00000000000..80f2a89b2d8
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/tests/line_commented.fail.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+# variables = var_pam_wheel_group_for_su=sugroup
+
+# remove any remaining uncommented pam_wheel.so line
+sed -Ei '/^auth\b.*\brequired\b.*\bpam_wheel\.so/d' /etc/pam.d/su
+
+#apply commented line
+echo "#auth required pam_wheel.so use_uid group=sugroup" >> /etc/pam.d/su
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/tests/line_not_there.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/tests/line_not_there.fail.sh
new file mode 100644
index 00000000000..22103e143e6
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/tests/line_not_there.fail.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# variables = var_pam_wheel_group_for_su=sugroup
+
+#clean possible lines
+sed -Ei '/^auth\b.*\brequired\b.*\bpam_wheel\.so/d' /etc/pam.d/su
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/tests/param_commented.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/tests/param_commented.fail.sh
new file mode 100644
index 00000000000..7881df18591
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/tests/param_commented.fail.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+# variables = var_pam_wheel_group_for_su=sugroup
+
+# remove any remaining uncommented pam_wheel.so line
+sed -Ei '/^auth\b.*\brequired\b.*\bpam_wheel\.so/d' /etc/pam.d/su
+
+#apply line with commented parameters
+echo "auth required pam_wheel.so #use_uid group=sugroup" >> /etc/pam.d/su
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/var_pam_wheel_group_for_su.var b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/var_pam_wheel_group_for_su.var
new file mode 100644
index 00000000000..9437494e63d
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/var_pam_wheel_group_for_su.var
@@ -0,0 +1,18 @@
+documentation_complete: true
+
+title: 'Group Name Used by pam_wheel Group Parameter'
+
+description: |-
+ pam_wheel module has a parameter called group, which controls which groups
+ can access the su command.
+ This variable holds the valid value for the parameter.
+
+type: string
+
+operator: equals
+
+interactive: false
+
+options:
+ default: ""
+ cis: "sugroup"
diff --git a/products/ubuntu2004/profiles/cis_level1_server.profile b/products/ubuntu2004/profiles/cis_level1_server.profile
index 405bffe40a1..5182e8386ad 100644
--- a/products/ubuntu2004/profiles/cis_level1_server.profile
+++ b/products/ubuntu2004/profiles/cis_level1_server.profile
@@ -783,7 +783,9 @@ selections:
# Skip due to being a manual test
## 5.6 Ensure access to the su command is restricted (Automated)
- - use_pam_wheel_for_su
+ - var_pam_wheel_group_for_su=cis
+ - use_pam_wheel_group_for_su
+ - ensure_pam_wheel_group_empty
# 6 System Maintenance #
## 6.1 System File Permissions ##
diff --git a/products/ubuntu2204/profiles/cis_level1_server.profile b/products/ubuntu2204/profiles/cis_level1_server.profile
index fffe2556baa..e39893518b6 100644
--- a/products/ubuntu2204/profiles/cis_level1_server.profile
+++ b/products/ubuntu2204/profiles/cis_level1_server.profile
@@ -833,7 +833,9 @@ selections:
- sudo_require_reauthentication
### 5.3.7 Ensure access to the su command is restricted (Automated)
- # NEEDS RULE
+ - var_pam_wheel_group_for_su=cis
+ - use_pam_wheel_group_for_su
+ - ensure_pam_wheel_group_empty
## 5.4 Configure PAM ##
### 5.4.1 Ensure password creation requirements are configured (Automated)