Eliminate Use of Root User Rule
This rule emphasizes avoiding root user for administrative and daily activities.
| Rule | Eliminate use of the root user for administrative and daily tasks |
| Framework | cis_v130 |
| Severity | ✔ High |
Eliminate Use of the Root User for Administrative and Daily Tasks (CIS v1.3.0)
Using the root user for everyday administrative tasks can pose a significant security risk because the root user has unrestricted access to all system resources. The Center for Internet Security (CIS) recommends creating individual accounts with least privileges necessary and using mechanisms such as sudo for administrative tasks. This minimizes the risk of accidental or deliberate system misuse.
Objectives of the Rule
- 1.Enforce least privilege access
- 2.Reduce the risk of accidental system changes
- 3.Mitigate the impact of compromised accounts
- 4.Provide an audit trail by ensuring actions are traceable to individual users
Troubleshooting Steps
If any administrative command fails to execute due to the absence of root level permissions, ensure the following:
- 1.The user attempting the task should have the appropriate privileges.
- 2.The
configurations are correctly set to allow necessary commands for the role.sudo
Remediation Steps
Step 1: Create Individual User Accounts
# As root, add a new user (replace 'username' with the intended username) useradd <username> # Set a password for the new user passwd <username>
Step 2: Assign Administrative Privileges
Use the
visudo# Edit the sudoers file visudo
In the editor add the following line to grant sudo privileges to the new user:
<username> ALL=(ALL:ALL) ALL
This line means that
<username>Step 3: Test sudo Access
Switch to the new user account and try running a command with
sudo# Switch to the new user su - <username> # Try running a command with sudo sudo <command>
The user should be prompted for their password and upon entering it correctly, the command should execute with root privileges.
Step 4: Secure ssh Configuration
Edit the sshd configuration to prohibit direct root login over ssh
# Edit the sshd config file sudo nano /etc/ssh/sshd_config
Ensure the following line is present and not commented out:
PermitRootLogin no
Reload the SSH service to apply changes:
# On systemd systems sudo systemctl reload sshd # On sysvinit systems sudo service sshd reload
Step 5: Monitor and Audit Sudo Usage
To keep track of sudo usage, ensure that the audit daemon is installed and running:
# Check auditd status sudo systemctl status auditd # Install auditd if not present sudo apt-get install auditd # On Debian/Ubuntu systems sudo yum install audit # On RHEL/CentOS systems
Configure auditing for sudo commands by adding a rule to
/etc/audit/audit.rules# Edit the audit rules file sudo nano /etc/audit/audit.rules # Add the following rule -a always,exit -F arch=b64 -C euid!=uid -F euid=0 -S execve
Restart the audit daemon:
sudo systemctl restart auditd
Conclusion
By following these steps, you ensure that the root user is not used for regular administrative tasks, which aligns with the CIS benchmarks and strengthens the security posture of the system. Ensure that all administrative actions are performed using individual accounts and that the
sudo