Chapter 7 | Root Best Practices
Root accounts are a necessary part of any IT infrastructure, but they also hold the potential to be the highest security risk. These accounts have every level of access, so a threat actor that gains control has the ability to steal information, destroy files, and render the environment completely unusable. Given this high risk, it is imperative to follow best practices when it comes to root usage.
There should only be one root account per environment
Root is the common name for an account with a user id of of zero, which indicates unrestricted access to the entire operating system. There should never be more than one of these accounts. The more accounts there are, the more opportunities an attacker has to attempt to breach the system.
Make sure there is only one root account by checking for duplicate accounts with a UID of zero with the following command:
# awk -F: '$3 == 0 {print $1}' /etc/passwd
If any accounts other than root appear, immediately change their UID. You can then determine whether that account needs to exist, and if so, what level of access it does need. If the account is associated with system commands or applications, the UID should be changed to one greater than zero but less than 1000.
Disable remote login
Remote login to root, even when using SSH, is dangerous, as it opens root up to brute force attacks. To disable remote login, run the following command as root:
vi /etc/ssh/sshd_config
#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
Change permissions for login to “no.”
PermitRootLogin no
Restart the sshd service to save the change.
/etc/init.d/sshd restart
Set a strong password
Countless organizations have a simple root password, like “admin” or some other plaintext word. While it’s understandable that admins needing regular access to root privileges would want something easy to remember, it’s important to have a complex password that regularly changes in order to maximize security.
Change the default root directory
Similarly, you should change the root home directory to something other than /. This directory is so simple and common that it is far too easy for other users to unintentionally access it and for threat actors to intentionally guess it.
Additionally, you should assign the root directory a 0700 protection, which permits root full access, but makes all files in the directory completely inaccessible to any other user. This makes it more difficult for intruders to manipulate the system by reading the files that root places in its default directory.
Use the following commands to add 0700 protection:
# mkdir /root
# chown root /root
# chgrp sys /root
# chmod 0700 /root
# cp -r /.??* /root/.
Use su and sudo when root access is required
As mentioned in the previous chapter, the sudo command provides trusted users with temporary root access, while still providing their individual user id for auditing purposes. When users proceed an administrative command with sudo they are prompted to provide their own password. The command is then run as if issued by the root user.
To give a user sudo capabilities edit the /etc/sudoers file with visudo to allow the desired access for the sudo user.
Always require root access login for maintenance mode
When a machine or server is having serious issues, the machine will be rebooted into maintenance mode. Maintenance mode provides unencumbered root access to the machine, leaving it incredibly vulnerable if an intruder gains control. To ensure that access to maintenance mode is strictly limited, you should require root authentication before booting into maintenance mode is granted.
Check to see if an encrypted boot password is set. GRUB 2 is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu. On systems that use UEFI, use the following command:
# grep -i password /boot/efi/EFI/redhat/grub.cfg
password_pbkdf2 superusers-account password-hash
# grub-mkpasswd-pbkdf2
Enter Password:
Reenter Password:
The PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.F3A7CFAA5A51EED123BE8238C23B25B2A6909AFC9812F0D45. Using this hash, modify the /etc/grub.d/10_linux file with the following commands to add the password to the root entry:
# cat << EOF
> set superusers="root" password_pbkdf2 smithj
grub.pbkdf2.sha512.10000.F3A7CFAA5A51EED123BE8238C23B25B2A6909AFC9812F0D45
> EOF
Generate a new "grub.conf" file with the new password with the following commands:
# grub2-mkconfig --output=/tmp/grub2.cfg
# mv /tmp/grub2.cfg /boot/efi/EFI/redhat/grub.cfg
Never permit a continuous display root access
Organizations often have machines used for continuous display. For instance, it could be a smart TV in the lobby of the organization, or at a booth during a trade show. Whenever such displays are used, whatever user is logged in to show that display is never root. Given the location of such displays, as well as the fact that they are always on, whatever user id is being used should have the least amount of privileges possible.
Additionally, even with these low privileges, efforts should still be made to make such displays as secure as possible to ensure that no one aside from those in charge of the display can gain access it, either to terminate it or have control of the interface.