This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Root User Login Alerting in GCP

on ‎08-02-2023 08:41 AM

ManjuMJ
Staff
5 1 799

Introduction

The root user is the most powerful user account on a Linux system. It has full administrative privileges, which means it can do anything on the system, including:

  • Create and delete users and groups
  • Change system settings
  • Install and remove software
  • Access any file on the system
  • Make changes to the kernel

The root user is typically identified by the username "root" and a UID (user ID) of 0.  This makes it a prime target for attackers, and it's important to have a way to monitor and alert root user logins. 

Some reasons why root user login alerting is required:

  • To detect unauthorized access: The root user has the ability to make any changes to the system, so it's important to be able to detect unauthorized access to the root account. By monitoring root user logins, you can be alerted of any suspicious activity and take action to protect your system.
  • To investigate suspicious activity: Even if you trust all of your users, there's always the possibility that someone's credentials have been compromised. By monitoring root user logins, you can be alerted of any suspicious activity and investigate it further.
  • To comply with security regulations: Many security regulations require organizations to monitor for and report unauthorized access to sensitive systems. By monitoring root user logins, you can help your organization to comply with these regulations.

How can this be implemented?

Google Cloud Platform (GCP) provides a number of tools that can be used to monitor root user logins. In this blog post, we will show you how to create a log-based alert that will notify you whenever a root user logs in to a GCP instance.

Below are some examples of login as root user on a linux machine.

sudo -i //login as root user
sudo su //login as switch user
sudo su  -  // login as root user​

All the above scenarios of logging in as sudo user can be captured and alerting can be triggered on the event in near real time.

Google Cloud Platform (GCP) offers excellent tools for streaming and alerting based on logs generated. We are going to use the below components to build a sudo login alerting mechanism in GCP.

  • Sudoers file configuration : Create a custom file inside the /etc/sudoers.d folder in order to capture all the sudo command execution on a linux VM, and redirect that attempt to a log file which can be streamed to cloud monitoring using the GCP ops agent.
  • Google ops agent:  Install the GCP ops agent in your linux machines. This is needed to stream the logs from the linux machine to the cloud monitoring platform. 
  • GCP log based alerting policy: Log based alerting policy in GCP will help in selecting the particular entries from logs streamed and trigger the alert as needed.

Refer to this blog for step by step instructions to build a root user login alerting on GCP for a linux VM.

This solution uses native GCP components and linux system configuration to provide alerting. Using this solution ,now users can apply alerting on various other functional user logins as well. 

Refer the below GCP specific resource links on Ops Agent and LogBased Alerting policy for more details.

GCP Resources links:

Ops Agent Installation Guide

Ops Agent Configuration Guide

Log Based Alerting Policy

Comments
Lauren_vdv
Community Manager
Community Manager
‎08-02-2023 04:16 PM

Love it! Thanks for sharing this @ManjuMJ @s_ramakrishnan @stotapally 

Version history
Last update:
‎08-02-2023 08:36 AM
Updated by: