This rule emphasizes avoiding root user for administrative and daily activities.
Rule | Eliminate use of the root user for administrative and daily tasks |
Framework | cis_v130 |
Severity | ✔ High |
Eliminate Use of the Root User for Administrative and Daily Tasks (CIS v1.3.0)
Using the root user for everyday administrative tasks can pose a significant security risk because the root user has unrestricted access to all system resources. The Center for Internet Security (CIS) recommends creating individual accounts with least privileges necessary and using mechanisms such as sudo for administrative tasks. This minimizes the risk of accidental or deliberate system misuse.
Objectives of the Rule
Troubleshooting Steps
If any administrative command fails to execute due to the absence of root level permissions, ensure the following:
sudo
configurations are correctly set to allow necessary commands for the role.Remediation Steps
Step 1: Create Individual User Accounts
# As root, add a new user (replace 'username' with the intended username) useradd <username> # Set a password for the new user passwd <username>
Step 2: Assign Administrative Privileges
Use the
visudo
command to safely edit the sudoers file:# Edit the sudoers file visudo
In the editor add the following line to grant sudo privileges to the new user:
<username> ALL=(ALL:ALL) ALL
This line means that
<username>
can execute any command on any host as any user.Step 3: Test sudo Access
Switch to the new user account and try running a command with
sudo
:# Switch to the new user su - <username> # Try running a command with sudo sudo <command>
The user should be prompted for their password and upon entering it correctly, the command should execute with root privileges.
Step 4: Secure ssh Configuration
Edit the sshd configuration to prohibit direct root login over ssh
# Edit the sshd config file sudo nano /etc/ssh/sshd_config
Ensure the following line is present and not commented out:
PermitRootLogin no
Reload the SSH service to apply changes:
# On systemd systems sudo systemctl reload sshd # On sysvinit systems sudo service sshd reload
Step 5: Monitor and Audit Sudo Usage
To keep track of sudo usage, ensure that the audit daemon is installed and running:
# Check auditd status sudo systemctl status auditd # Install auditd if not present sudo apt-get install auditd # On Debian/Ubuntu systems sudo yum install audit # On RHEL/CentOS systems
Configure auditing for sudo commands by adding a rule to
/etc/audit/audit.rules
:# Edit the audit rules file sudo nano /etc/audit/audit.rules # Add the following rule -a always,exit -F arch=b64 -C euid!=uid -F euid=0 -S execve
Restart the audit daemon:
sudo systemctl restart auditd
Conclusion
By following these steps, you ensure that the root user is not used for regular administrative tasks, which aligns with the CIS benchmarks and strengthens the security posture of the system. Ensure that all administrative actions are performed using individual accounts and that the
sudo
mechanism is used for executing commands that require elevated privileges. This both reduces risks and provides an audit trail.