Linux Security Deep Dive: How LD_PRELOAD Makes It Possible to Audit and Control Root Users

Webinar Registration

Received knowledge firmly states that if you are root you can do anything; that there’s no control over you; you can circumvent any policy and avoid being monitored. In this webinar, I’m going to show you Linux’s dynamic linker and how it uses LD_PRELOAD environment variable. This provides a powerful way to intercept system calls and modify or replace the normal behavior of the library in question. The power of LD_PRELOAD is great, and it can be used for good or evil. But, why do we need LD_PRELOAD for controlling admins in the first place? Isn’t that what sudo is for? Let’s go back in time a bit…

In the elder days, all admins were created good and there was no need to limit their authority, audit their activities or even individually identify them. Everyone logged in as root—and it was like paradise.

But, then maturity (i.e. compliance, governance, and best practice) darkened the land and departments grew to hundreds and thousands. And root was now too powerful for everyone to be entrusted with.

So, a wise programmer built sudo so that certain accounts could be delegated specific privileges without tempting them with the full power of root. However, the sudoers file is written in a complicated language few can master, and its “default deny” model requires that every possible command a user might need to run as root be anticipated in advance. This led to many shops taking the easy way out and defining weak sudoers files that allow IT accounts to run any command, which largely defeats the purpose of sudo. In addition, evil individuals have found ways to bypass sudo by “shelling out” from applications allowed in sudoers. Sudo has ways to protect against this, but they tend to cause other problems. Malicious actors hide their nefarious commands in script files and find ways to execute them. 

The bottom line is that sometimes you still need to be root. Wouldn’t it be nice if there were a way to implement the opposite type of control? Whereas sudo is based on a “default deny” or whitelist concept, what we need is a default allow / blacklist control for when users really do need root access. 

That’s where LD_PRELOAD comes in. In this real training-for-free session, I’ll show you how dynamic libraries work in Linux (similar to DLLs in Windows) and how you can specify an alternative library to load before the normal library. As noted earlier, this gives you the ability to intercept systems calls and augment, replace, or just cancel the behavior of the intended library’s implementation of the function.

This technique does require some pretty sophisticated programming. And that’s where Paul Harper, from our sponsor BeyondTrust, comes in. Paul will show you how the Advanced Control and Audit (ACA) feature, released in PowerBroker for Unix & Linux 9.0, traps file system-related library calls and allow, disallow, and audit the calls. This enables you to specify operations (e.g. open/read/write/exec) that can or cannot be performed on a file (using shell style file patterns to match files) and will also specify an auditing level. This creates some incredible abilities to block specific actions by users with access to root, and creates an unprecedented audit trail, even of what happens inside scripts.

Please join me for this technical deep dive into how Linux works internally, and how that can be leveraged to provide control and audit over root access.

First Name:   
Last Name:   
Work Email:  
How many employees in your organization?:
What is your job function?:
What is your role within your department?:
I'd like to schedule a personalized demo with a BeyondTrust rep for:

Your information will be shared with the sponsor.

By clicking "Submit", you're agreeing to our Privacy Policy and consenting to be contacted by us.



Additional Resources