Oct 9 · 3 min read
Addressing the Unavoidable Security Holes Caused by Root Users and Privileged Accounts on Linux
By: Jennifer Ellard
Practically speaking, Linux has an inherent security hole big enough to drive a truck through: privileged accounts. Whether through compromised service accounts, stolen credentials, or the wrong commands executed by root users — the fact that Linux provides no way to restrict what privileged users can do is a big impediment to enforcing security policy.
As a result we put a ton of technology in place to help us respond quickly when errors or breaches do happen. We monitor log files, run endpoint detection and response programs, and require admins to “check out” root passwords — all so we can make it less likely that a compromised account does something bad with privileged access. Unfortunately, these situations are at the “root” of most of the security problems we see in Linux cloud and datacenter environments, including stolen credentials, lateral movement, and exploited service accounts.
Getting to the Root of Securing Linux Clouds and Data Centers
The lack of control over what a privileged user can do is a big concern because Linux admins and DevOps engineers frequently escalate privileges to do their jobs. They need to update configuration files, deploy updates and address real-time security threats — actions which require root access. Such activity leaves companies open to serious security risks, and without an obvious way to mitigate them.
With Linux Accounts, You Must Assume Access Issues Will Happen
In many work environments, admins share system and service accounts with others on the team — and you as a security professional have no way to know this is happening. Additionally, Linux admins are real people who make mistakes. It’s not hard to imagine getting a host name wrong, and as a result wiping a production server instead of a test server. And certainly, there is always a risk of outside malicious activity. Accounts get hacked, credentials get phished and Linux admins are prime targets.
With such a big gap in policy enforcement and security monitoring for root access, it would be outrageous to claim that any Linux environment is as compliant or secure as we want.
How to Close the Gap to Secure Root Access
The good news is that you don’t have to completely cut developers and administrators off from root access to enforce security policies. In fact, there is a way to monitor the activity of root users and shared accounts. You can do this with Cmd’s Linux Security Solution. It was built to work in the cloud and manage the behavior of users with any level of access, including privileged accounts, service accounts, and root access. Not only does it monitor activity, but it also provides real-time enforcement of security policies.
Key Capabilities to Secure Root Access
Control Root User Actions — It is critical to enforce security policy for accounts with elevated privileges and root access. Cmd does this with forced authorization when executing a sudo command.
Block Dangerous Commands — If a command is not authorized, it needs to be prevented in order to meet compliance requirements and keep your environment secure. Cmd does this by automatically preventing unapproved commands before they are executed.
Confirm and Track Identity — You need to know who has root access, and whether they are supposed to. Cmd can identify and authenticate users behind shared accounts by means of 2FA solutions such as Duo or Yubico.
Full Context for Investigations — Compliance requires you to monitor and present what is happening at the root level. For audits or investigations, Cmd provides the complete picture of activity on your Linux servers, organized by user, server, security policy, or session.
There are No Excuses for Allowing Unfettered Root Access
Security compliance needs are often at odds with Linux admins and DevOps engineers who want to get their jobs done quickly. Policies are often too restrictive, but the alternative in the past was letting them run wild. Neither option is the right answer. Admins need to do their jobs and Linux has to be secure. Monitoring and securing Linux root access is so critical because it balances both needs. Providing reasonable guardrails via Cmd will ensure root access privileges are used properly, and all activity complies with security policies. It’s the only option for keeping the critical information you have on Linux servers secure, all the way to the root of the system.