Merge pull request #469 from delphix/dlpx/pr/rupalimatkar/4d6c82a6-f958-4d65-88c5-7372817b8fd6

DLPX-86535 CIS: restrict access to su command

Author: rupalimatkar

files/common/var/lib/delphix-platform/ansible/10-delphix-platform/roles/delphix-platform/tasks/main.yml

@@ -329,6 +329,15 @@
     regexp: '^(session[\s]+optional[\s]+pam_motd\.so.*)$'
     replace: '#\1'
 
+#
+# Restrict su access to users that are part of the root group (gid 0).
+# On a Delphix engine, this is restricted to the delphix user.
+#
+- replace:
+    dest: /etc/pam.d/su
+    regexp: '^#?[\s]*(auth[\s]+required[\s]+pam_wheel\.so.*)$'
+    replace: '\1'
+
 #
 # Prevent sshd from offering weak message authentication codes to clients.
 #