Restrict the use of su

[olavim]

A bad-actor who has gained access to an account without sudo privileges can still try to login as such with su.

Here's an article about limiting who can use of su: https://www.cyberciti.biz/tips/restrict-the-use-of-su-command.html

The article tells you to add users, who you want to be able to use su, to the wheel group, and editing the PAM config file at /etc/pam.d/su appropriately. However at least in Ubuntu I had to add these users to the root group instead, so the steps needed might vary between distros.

[imthenachoman]

Adding. Thanks!