The root account is the ultimate all-access pass on Linux. In 2020, attackers exploited a misconfigured AWS instance where the application ran as root, leading to full database exfiltration. If the app had been running as a dedicated user with only required capabilities, the damage would have been contained. This lesson teaches how to lock down the root account, construct precise sudo rules, and understand the sudo session lifecycle to minimize privilege exposure.
The root account should never be used for direct login. Disable its password with passwd -l root and set an expired or impossible password hash. Ensure SSH is configured with PermitRootLogin no. On systems that require recovery console access, set a grub password and enforce single-user mode authentication. The only path to root should be via sudo from authorized users, providing an audit trail.
After this, even if someone guesses the root password, they can't get a shell. The account still exists for UID 0 process ownership, but interactive login is impossible.
# Harden /etc/pam.d/login to enforce login restrictions
echo 'auth required pam_securetty.so' >> /etc/pam.d/login
# and remove all ttys except tty1 from /etc/securetty💡 pam_securetty.so restricts root logins to terminals listed in /etc/securetty. On modern cloud instances, this file should be empty or contain only console=.
Avoid blanket sudo ALL=(ALL) ALL entries. Instead, define command aliases and per-user rules with allowed command paths and arguments. Use the NOPASSWD flag sparingly and only for specific commands. Combine with timestamp_timeout=0 to force credential re-entry for every sudo invocation, reducing the risk of session hijacking. Implement centralized sudo policy management with LDAP (sudoers.ldap) for consistency across servers.
# /etc/sudoers.d/ops
# Operator group can restart services but not edit configs
%operator ALL=(root) /usr/bin/systemctl restart apache2, /usr/bin/systemctl status *
Defaults:%operator timestamp_timeout=0This rule permits operators to restart Apache and check service statuses, but not to stop or modify services. The wildcard 'status *' uses sudo's limited pattern matching, while restart is explicitly allowed only for apache2.
| sudoers Directive | Purpose | Security Note |
|---|---|---|
| ALL=(ALL) ALL | Full root access | Never use in production |
| NOPASSWD: | No password prompt for specific commands | Risk of token hijacking |
| timestamp_timeout=0 | Require password every sudo call | Prevents session replay |
| !authenticate | Skip authentication entirely | Only for automated service accounts with extreme caution |
Sudo logs to syslog by default, but you can enhance it by enabling sudo's I/O logging (log_input, log_output) to capture entire session transcripts. Forward these logs to a centralized SIEM. Set up alerts for failed sudo attempts and for commands that are outside the expected usage pattern. The sudoers option mail_badpass sends an email on a failed password attempt, providing real-time notification of potential brute-force.
⚠️ Sudo rules with wildcards can be dangerous. For example, /usr/bin/cat * allows reading any file including /etc/shadow. Always audit command paths and argument patterns.
Verify exercises to earn ★ 140 XP and unlock next lab level.