Eliminate Use of the 'Root' User Rule
This rule emphasizes not using the 'root' user for administrative and daily tasks.
| Rule | Eliminate use of the 'root' user for administrative and daily tasks |
| Framework | cis_v140 |
| Severity | ✔ High |
CIS Benchmark Rule: Eliminate Use of 'root' User
The Center for Internet Security (CIS) provides a set of best practice guidelines for securing systems, which includes a recommendation to avoid using the 'root' user account for administrative and daily operational tasks. The 'root' user, also known as the superuser, has unrestricted access to all commands and files on a Unix/Linux system and can perform actions that are restricted to normal users. Using this account for regular activities can pose significant security risks.
Why It's Important to Limit 'root' User Access
- Security Risks: If a 'root' user's credentials are compromised, an attacker gains complete control over the system.
- Audit Trails: Actions taken as the root user may not be properly tracked, hindering system auditing processes.
- Potential for Error: A mistaken command by the root user can cause catastrophic system damage.
Troubleshooting Steps
Checking for 'root' User Usage
- 1.
To see if and when the 'root' user has been accessed, check the authentication logs. For most Linux distributions, this log is located at
or/var/log/auth.log
./var/log/securesudo grep 'root' /var/log/auth.log - 2.
Review the commands executed by the 'root' user by examining the command history.
sudo -i history
Determining Currently Logged-In Users
Run the
orwho
command to identify which users are currently logged in and if any are logged in as 'root'.wwho w
Steps for Remediation
Step 1: Create Individual User Accounts
Create unique user accounts for all users requiring system access.
sudo adduser <username>
Step 2: Assign Necessary Privileges Using sudo
Give administrative privileges to trusted user accounts using the
command.sudosudo usermod -aG sudo <username>
Step 3: Limit sudo Access
Edit the sudoers file to restrict the commands users can run with sudo.
sudo visudo
Step 4: Implement Strong Authentication Mechanisms
- Make sure to use strong passwords and, where possible, implement two-factor authentication.
Step 5: Regularly Check for Compliance
- Regularly audit system use and access to ensure compliance with this policy.
Step 6: Remove Unnecessary 'root' Access
If remote 'root' login is enabled, disable it in the SSH configuration.
sudo nano /etc/ssh/sshd_config # Set PermitRootLogin to no PermitRootLogin no sudo systemctl restart sshd
Step 7: Train Users
- Educate users about the dangers of using 'root' and the correct use of
.sudo
Tips for Enforcing the Rule
- Implement configuration management tools like Puppet, Chef, Ansible, or Salt to enforce user account policies across systems.
- Use a centralized authentication service like LDAP or Active Directory to manage user access controls.
- Regularly review and rotate 'root' user passwords.
- Set up system monitoring to alert on any use of the 'root' account.
By following these steps and diligently enforcing the no-root-user policy, you ensure a better security stance for your systems, reducing the risk of unauthorized access and potential damage.