Chapter 7 | Root Best Practices

Root accounts are a necessary part of any IT infrastructure, but they also hold the potential to be the highest security risk. These accounts have every level of access, so a threat actor that gains control has the ability to steal information, destroy files, and render the environment completely unusable. Given this high risk, it is imperative to follow best practices when it comes to root usage. 

 

There should only be one root account per environment

Root is the common name for an account with a user id of of zero, which indicates unrestricted access to the entire operating system. There should never be more than one of these accounts. The more accounts there are, the more opportunities an attacker has to attempt to breach the system. 

Make sure there is only one root account by checking for duplicate accounts with a UID of zero with the following command: 

# awk -F: '$3 == 0 {print $1}' /etc/passwd 

If any accounts other than root appear, immediately change their UID. You can then determine whether that account needs to exist, and if so, what level of access it does need. If the account is associated with system commands or applications, the UID should be changed to one greater than zero but less than 1000.

 

Disable remote login

Remote login to root, even when using SSH, is dangerous, as it opens root up to brute force attacks. To disable remote login, run the following command as root: 

vi /etc/ssh/sshd_config 

 

#LoginGraceTime 2m 

#PermitRootLogin yes 

#StrictModes yes 

#MaxAuthTries 6 

 

Change permissions for login to “no.” 

PermitRootLogin no 

Restart the sshd service to save the change. 

/etc/init.d/sshd restart

 

Set a strong password

Countless organizations have a simple root password, like “admin” or some other plaintext word. While it’s understandable that admins needing regular access to root privileges would want something easy to remember, it’s important to have a complex password that regularly changes in order to maximize security.

 

Change the default root directory

Similarly, you should change the root home directory to something other than /. This directory is so simple and common that it is far too easy for other users to unintentionally access it and for threat actors to intentionally guess it.

Additionally, you should assign the root directory a 0700 protection, which permits root full access, but makes all files in the directory completely inaccessible to any other user. This makes it more difficult for intruders to manipulate the system by reading the files that root places in its default directory. 

Use the following commands to add 0700 protection: 

# mkdir /root 

# chown root /root 

# chgrp sys /root 

# chmod 0700 /root 

# cp -r /.??* /root/.  

 

Use su and sudo when root access is required

As mentioned in the previous chapter, the sudo command provides trusted users with temporary root access, while still providing their individual user id for auditing purposes. When users proceed an administrative command with sudo they are prompted to provide their own password. The command is then run as if issued by the root user. 

To give a user sudo capabilities edit the /etc/sudoers file with visudo to allow the desired access for the sudo user.

 

Always require root access login for maintenance mode

When a machine or server is having serious issues, the machine will be rebooted into maintenance mode. Maintenance mode provides unencumbered root access to the machine, leaving it incredibly vulnerable if an intruder gains control. To ensure that access to maintenance mode is strictly limited, you should require root authentication before booting into maintenance mode is granted.

Check to see if an encrypted boot password is set. GRUB 2 is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu. On systems that use UEFI, use the following command:

# grep -i password /boot/efi/EFI/redhat/grub.cfg 

password_pbkdf2 superusers-account password-hash

 

# grub-mkpasswd-pbkdf2 

Enter Password: 

Reenter Password:

 

The PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.F3A7CFAA5A51EED123BE8238C23B25B2A6909AFC9812F0D45. Using this hash, modify the /etc/grub.d/10_linux file with the following commands to add the password to the root entry:

# cat << EOF 

> set superusers="root" password_pbkdf2 smithj 

grub.pbkdf2.sha512.10000.F3A7CFAA5A51EED123BE8238C23B25B2A6909AFC9812F0D45 

> EOF

 

Generate a new "grub.conf" file with the new password with the following commands:

# grub2-mkconfig --output=/tmp/grub2.cfg 

# mv /tmp/grub2.cfg /boot/efi/EFI/redhat/grub.cfg 

 

Never permit a continuous display root access

Organizations often have machines used for continuous display. For instance, it could be a smart TV in the lobby of the organization, or at a booth during a trade show. Whenever such displays are used, whatever user is logged in to show that display is never root. Given the location of such displays, as well as the fact that they are always on, whatever user id is being used should have the least amount of privileges possible. 

Additionally, even with these low privileges, efforts should still be made to make such displays as secure as possible to ensure that no one aside from those in charge of the display can gain access it, either to terminate it or have control of the interface.