The root user is the most powerful user account on a Linux system. It has full administrative privileges, which means it can do anything on the system, including:
The root user is typically identified by the username "root" and a UID (user ID) of 0. This makes it a prime target for attackers, and it's important to have a way to monitor and alert root user logins.
Some reasons why root user login alerting is required:
Google Cloud Platform (GCP) provides a number of tools that can be used to monitor root user logins. In this blog post, we will show you how to create a log-based alert that will notify you whenever a root user logs in to a GCP instance.
Below are some examples of login as root user on a linux machine.
sudo -i //login as root user
sudo su //login as switch user
sudo su - // login as root user
All the above scenarios of logging in as sudo user can be captured and alerting can be triggered on the event in near real time.
Google Cloud Platform (GCP) offers excellent tools for streaming and alerting based on logs generated. We are going to use the below components to build a sudo login alerting mechanism in GCP.
Refer to this blog for step by step instructions to build a root user login alerting on GCP for a linux VM.
This solution uses native GCP components and linux system configuration to provide alerting. Using this solution ,now users can apply alerting on various other functional user logins as well.
Refer the below GCP specific resource links on Ops Agent and LogBased Alerting policy for more details.
GCP Resources links:
Love it! Thanks for sharing this @ManjuMJ @s_ramakrishnan @stotapally