In the hands of an external attacker, or even an unscrupulous insider, privileged Unix and Linux accounts represent a potentially very serious cyber security threat to your organization. Unfortunately, you are stuck with using these privileged accounts daily to perform routine administration tasks within the environment, as well as for "break glass" emergency access scenarios. While these accounts are indeed necessary, their mere existence and use exposes your organization to considerable security risk.
It’s alarming how often attackers access privileged accounts. This access is usually first accomplished through a low-level exploit, with the attacker then moving laterally until they can escalate their privileges. Once inside your organization’s environment, an attacker can expose sensitive data, conduct unauthorized transactions, plant malware, and destroy systems, while erasing traces of his/her presence each step of the way.
Controlling Unix/Linux Privileges is Essential for Compliance
Today, it is essential to have a strategy in place to control and audit your Unix/Linux privileged access. Many regulations, such as Sarbanes-Oxley, the Payment Card Industry Data Security Standard (PCI DSS), the Federal Energy Regulatory Commission (FERC), and HIPAA, also mandate controls and oversight for privileged access. Moreover, business partners are increasingly demanding a review of controls associated with privileged accounts as part of their Statement on Auditing Standards (SAS) 70 reviews.
This post provides a few tips for safeguarding your Unix/Linux privileged accounts. Use this information to gain an understanding of strategies and technologies that can help you get control and auditability over your Unix/Linux privileged accounts.
The Risk of Not Protecting Unix/Linux Privileged Accounts
Escalating their privilege means that an attacker has gained access to privileges they are not entitled to and definitely should not have. This attacker can in turn use these ill-gotten privileges to conduct such nefarious activities as deleting files, viewing your private organization information, or installing unwanted programs like viruses or ransomware onto your network, causing all kinds of problems. Exploits of this type usually occur when your system has a bug that allows security to be bypassed or has been designed with flaws. They can also occur due to you or an employee making an error that gives the attacker access to your Unix system.
Once they have penetrated your system, the attacker can approach privilege escalation in two ways:
- Vertical privilege escalation, also known as privilege elevation, where the attacker takes a lower privilege he obtained and accesses functions or content reserved for higher privilege users or applications.
- Horizontal privilege escalation is the second form. This is when an attacker used those “normal” user privileges to access functions or content reserved for other normal users, perhaps to try to escalate his privileges.
How to Prevent Root Escalation on Unix/Linux systems
You don’t want either of these types of privilege escalation to occur in your Unix/Linux environment — a few strategies to reduce the risk of privilege escalation include the following:
- Address space layout randomization to make it more difficult for the attacker to cause a buffer overruns to execute privileged instructions at known addresses in memory
- Run applications with least privilege in order to reduce the ability of buffer overrun exploits to abuse the privileges of an elevated user
- Require kernel mode code to be digitally signed to prevent the attacker from impersonating an authorized user
- Use up-to-date antivirus software
- Make sure your systems are properly patched
- Use compilers that trap buffer overruns
- Encrypt your software and/or firmware components.
- Use an operating system with Mandatory Access Controls (MAC) such as SE Linux
Safeguarding Unix/Linux Privileged Passwords
It goes without saying that everything must be password protected. However, the management of your privileged passwords is as important as the password itself. Defense in depth dictates multiple layers of security at the point of access, and privileged password management specifically targets the first security layer.
When it comes to your privileged passwords, ideally, you should also try to severely limit the use of Unix/Linux root accounts. Organizations with basic needs can start with utilities such as sudo, which can allow an administrator to elevate privileges while keeping the user accountable and keeping the attacker out.
One of the major problems for Unix/Linux root accounts is the tendency for users to share accounts and passwords. Unfortunately, in the case of shared accounts, as well as for certain configuration changes, root access is still required. Access to both your sudo and the root passwords need to be strictly controlled, and only one individual should know a password at any point in time to ensure there is accountability for any actions taken using the account. These accounts should also have their passwords rotated on a regular basis to prevent any brute force attacks aimed at hacking passwords.
Privileged Single Sign-On (SSO)
Single sign-on is a recent feature added to privileged access management products. The system administrator accesses the target platform via the privileged account management product's workstation client software or proxy server. Both mechanisms provide single sign-on because the system administrator is transparently logged into the target platform. Behind the scenes, the privileged account management software retrieves the password and logs the user onto the system via the session protocol. Using SSO with your Unix privileged accounts enhances your security because your system administrator does not have to have knowledge of the account password, nor can they share that single password.
Best Practices for Managing Privilege Elevation & Delegation & Protecting Identities on Unix/Linux Systems
So knowing all this “stuff” about securing your Unix/Linux system, how do you manage it all? Well, one of the best ways to enhance access control for your privileged accounts is to have detailed, policy-based delegation of privileges of the Unix/Linux root account. This will enable you deploy least-privilege access and enhanced individual accountability for Unix/Linux root account activity. Plus, its centralized management and reporting capabilities will ensure you meet even the most stringent compliance requirements.
Speaking of centralized management, it is almost impossible for you to manage your system manually, and it is even difficult to manage even with tools if these tools are not somehow centralized. One of the best measures you can take is to use a privileged access management (PAM) solution to configure and manage your Unix/Linux system. PAM allows you to do such things as:
- Monitor and audit sessions for unauthorized access, changes to files and directories, and compliance
- Reduce attack surfaces by eliminating credential sharing, enforcing least privilege, and elevating commands without requiring users to have root access.
- Analyze behavior to detect suspicious user, account and asset activity.
- Centralize your Unix systems management, policy and reporting.
The bottom line is that your business depends on the accuracy and privacy of the information you are entrusted with. Therefore, the value of managing the "who, what, where, when, how and why" regarding access to your information technology cannot underestimated. Privileged access management has numerous benefits that can solidify your information security. You would be wise to take advantage of this indispensable tool.
Derek A. Smith, Founder, National Cybersecurity Education Center
Derek A. Smith is an expert at cybersecurity, cyber forensics, healthcare IT, SCADA security, physical security, investigations, organizational leadership and training. He is currently an IT Supervisor at the Internal Revenue Service. He is also owner of The Intercessors Investigative and Training Group (www.theintercessorgroup.com). Formerly, Derek worked for several IT companies including Computer Sciences Corporation and Booz Allen Hamilton. Derek spent 18 years as a special agent for various government agencies and the military. He is also a cyber security professor at the University of Maryland, University College and Virginia University of Science and Technology and has taught for over 25 years. Derek is retired from the US Army and also served in the US Navy, and Air Force for a total of 24 years. He is completing his Doctorate Degree in Organizational Leadership and has completed an MBA, MS in IT Information Assurance, Masters in IT Project Management, and a BS in Education. Derek has written several books including Cybersense: The Leaders Guide to Protecting Critical Information, and its companion workbook, and he has contributed to several other books as an author and technical adviser.