Restrict Root user from switching users without password prompt

[jamboNum5]

In Ubuntu, pam_rootok.so can be removed/commented to force a root user has a password prompt if they run su username. I don't know whether this same configuration can be fulfilled in this puppet module.

/etc/pam.d/su
# auth       sufficient pam_rootok.so 

I know this isn't exactly infallible config, but it does at least do something to slow down people with root access if they are doing malicious actions.

Thanks

[ghoneycutt]

You can accomplish this using pam::service. Check out https://github.com/ghoneycutt/puppet-module-pam/blob/master/manifests/service.pp