The root credential is the most powerful credential on a Linux/UNIX computer. If this credential is compromised, it is generally considered a full system compromise. It is generally recommended to have user applications run WITHOUT root privileges—if the application has bugs or is exploited, it will not give up privileged access.
SKFS practices this defense strategy by not requiring or using root privileges for normal operations—some parts of the installation process require root privileges, but once completed, the web service application that provides cryptographic services does not need root access. Because any human (or attacker) that has access to the root account can assume the identity of any other Linux account, it would be possible for an attacker who has compromised the root account to assume the SKFS web service application ID.
As a consequence, sites may want to ensure that the root account is restricted through policy, procedural, and technical controls. While this document does not go into the policy and procedural aspects of controlling root access, the following technical controls can help mitigate some of the risks of the root account becoming compromised. Site administrators are encouraged to review other resources to determine the optimum mechanism for protecting and/or controlling root privileges on their systems, so they gain a broader perspective on these controls.
Setup an unlock account on the Linux system. This account becomes the fail-safe measure to recover access to the root account in the event it is needed for extraordinary administrative actions.
Add the unlock account to /etc/sudoers with the ability to unlock the root account. Replace <FQDN> with the fully qualified domain name of the SKFS server.
unlock <FQDN>=/usr/sbin/usermod --unlock root
Add the normal Linux account of the Systems Administrator (SA) to /etc/sudoers to perform specific SA tasks (as defined by company policy). This ensures that SAs can perform their day-to-day jobs—backup, restore, log management, performance management, patching, etc. These accounts must be the only legitimate means of managing the SKFS system.
For tighter control, depending on company policy, sites may add multi-factor authentication tokens to the system to ensure only legitimate SAs with two-factor tokens can login into SA accounts in SKFS.
Add a watch on /etc/sudoers and on /usr/bin/sudo to audit modifications to the former and use of the latter:
auditctl -w /etc/sudoers -pwar -k sudoers
auditctl -w /usr/bin/sudo -px -k sudo-exec
This first watch monitors for writes, appends, and reads of the /etc/sudoers file, then logs them. Logged records can be searched with filter key sudoers. The second watches for execution of the sudo command and log any matches with a filter key of sudo-exec.
auditd should be turned on to monitor for access to the sudo command and report it to appropriate authorities for review (third-party reporting tools may also be used for this purpose, if desired).
Finally, lock the root account on the system:
/usr/sbin/usermod --lock root
This has the effect of disabling the root account so no one can gain access to the account.