0

is it possible to restrict system to have only one root privilege access? only user "lala" and "root" have root access ? im looking for a solution to prevent hacker who hacked system to add new account on system

Nimafire
  • 1
  • 2
  • You should look for solutions to prevent the hacking in the first place. If someone is already in, adding user accounts is least of your concerns. – Esa Jokinen Apr 16 '17 at 07:40

1 Answers1

1

You must restore a compromised system from a known good backup. Very rarely can you be sure administrator level exploits are completely removed. See the canonical question on compromised servers.

Part of the prevention of compromise is through mandatory access controls such as SELinux. That restricts services to what they actually need.

And, develop intrusion detection. The addition of users can be detected through changed files detection, or log file analysis.

Edit: To answer your specific question, classic privilege management means any uid 0 is all powerful. This user does not have to be named 'root', and there could be multiple in /etc/passwd.

In practice, security controls means not granting the ability to run arbitrary commands as root. Maybe adding more robust mandatory access control like SELinux. Plus auditing what happens to find any suspicious activity. Read comprehensive hardening documentation such as the RHEL security guide.

John Mahowald
  • 30,009
  • 1
  • 17
  • 32
  • mmm im thinking to set restrict with kernel to prevent any extra root privilege/ – Nimafire Apr 16 '17 at 20:49
  • Like I said, mandatory access controls. Look at the policy in a distribution that ships with SELinux. Actually, read hardening manuals in general to have a better concept of multiple layers of defense. – John Mahowald Apr 18 '17 at 04:00
  • mm this is for new system not hacked server, before attach server to internet im looking for kernel solution for block add root user – Nimafire Dec 17 '18 at 14:52
  • As I said, SELinux. Really, start with the basics and read hardening guides like the RHEL one I linked in my edit. – John Mahowald Dec 17 '18 at 15:18
  • Wow, a year and a half has passed and that server still isn't finished? – bodgit Dec 17 '18 at 15:29
  • ive to disable selinux coz of some reason. i hope someone working on kernel and know the solution, i think its possible to restrict root privilege from kernel – Nimafire May 05 '19 at 08:10
  • You do not need a Linux security module to restrict root effectively. Run your services as not root. Do not allow root login. Audit privilege escalation like sudo. Audit user creation. If you can run SELinux, that provides a "sandbox" that greatly isolates what a given context can do. – John Mahowald May 05 '19 at 11:12