Ensure access to the su command is restricted - pam_wheel.so

Information

Restricting the use of su, and using sudo in its place, provides system administrators better control of the escalation of user privileges to execute privileged commands. The sudo utility also provides a better logging and audit mechanism, as it can log each command executed via sudo, whereas su can only record that a user executed the su program.

Solution

Add the following line to the /etc/pam.d/su file:
auth required pam_wheel.so use_uid

Create a comma separated list of users in the wheel statement in the /etc/group file:
wheel:x:10:root,<user list>

See Also

https://www.cisco.com/c/en/us/td/docs/security/firepower/623/configuration/guide/fpmc-config-guide-v623.html