Zero Trust on Linux.
explained like a real person.
Every vendor has it on their website. Every job post wants it. Nobody can actually explain it. Let’s fix that.
- Where the old model came from and why it completely fell apart
- What Zero Trust actually says — not the sales pitch version
- The three core principles, broken down like you’re a person
- How this maps to stuff you already do on Linux servers
- Hands-on: applying it to a real server right now
- What Zero Trust is NOT (vendor edition)
- Final checklist to audit where you stand
Where the old model came from and why it completely fell apart
Picture it: it’s 2003. Everyone works in the office. The servers are in the building. The firewall is the big scary wall between you and the internet, and if you’re inside the wall you’re basically family. Trusted. Welcome. Help yourself to the file share.
This is called perimeter-based security and for its time it made total sense. The logic was: we know who’s inside, the bad guys are outside, and the wall keeps them out. Simple. Clean. Wrong, eventually, but clean.
Then a few things happened all at once. Cloud computing put servers outside the building. VPNs let people work from anywhere. Mobile devices meant your “trusted employee” was now connecting from a coffee shop on public wifi. SaaS apps meant company data lived in systems the company didn’t even own. The perimeter just dissolved. There was no inside anymore.
But companies kept building thicker walls around a perimeter that didn’t exist anymore. Which is like putting a really good lock on a door that has no walls around it. Classic.
The real nail in the coffin: attackers figured out the easiest way in wasn’t through the firewall. It was a phishing email. One click from one tired employee and suddenly someone with bad intentions is inside the network, being treated like a trusted colleague, moving around freely. The firewall never saw it coming because the threat came from inside the house.
What Zero Trust actually says
Zero Trust is built on one principle: never trust, always verify. That’s it. That’s the whole thing. Everything else is implementation details.
In the old model, trust came from location. You’re inside the network? You’re trusted. Zero Trust throws that out entirely. It does not care where your request comes from. Every single request gets verified. Every time. No free passes.
John Kindervag coined the term at Forrester in 2010. Core idea: treat every user, device, and network flow as untrusted by default. Verify identity explicitly. Use least-privilege access. And crucially: assume breach.
Those last two words are doing heavy lifting. Assume breach. Traditional security assumed the goal was keeping attackers out. Zero Trust assumes they’re already in, or will be, and asks: how do we limit the damage? Instead of one big wall, you build a lot of small walls everywhere. So when something breaks through, it can’t go anywhere.
The three core principles, broken down like you’re a person
1. Verify explicitly. Every access request gets checked against everything available: who are you, what device are you on, is that device patched and healthy, where are you connecting from, does this behavior look normal for you? It’s not just “what’s your password.” It’s a whole vibe check every single time.
In practice this means MFA is not optional anymore. It means short-lived credentials that expire instead of sessions that stay open for a week. It means checking device health before handing over access.
2. Least privilege access. You get exactly what you need to do your job and not one byte more. The developers in the RHEL 9 post could restart Apache. That was it. They couldn’t touch /etc/shadow, modify users, or mess with system configs. That’s least privilege doing its job.
3. Assume breach. Build every system like someone is already inside watching. Encrypt internal traffic because maybe someone is sniffing it. Log everything because you’ll want receipts when something goes sideways. Segment the network so one compromised machine doesn’t hand over the whole environment.
How this maps to stuff you already do on Linux servers
If you’ve been following good sysadmin hygiene, you’re already doing Zero Trust. You just weren’t calling it that because the name is annoying.
SSH key auth instead of passwords is explicit verification. Cryptographic proof of identity instead of a string of characters someone can guess or steal from a sticky note.
The sudoers config from the RHEL 9 post is least privilege. Scoped access by role, not “everyone gets sudo because it’s easier.”
Disabling root login over SSH is assume breach. Even if credentials get stolen, direct root access is blocked. Audit trail stays intact.
firewalld zones are network segmentation. Traffic only flows where it’s supposed to. Everything else gets quietly dropped.
The difference between doing these things randomly and doing them as a Zero Trust strategy is intentionality. One is good habits. The other is a system designed to contain damage when something breaks.
Hands-on: applying it to a real server right now
Add MFA to SSH. Key auth is solid. Key auth plus a one-time code is better.
# RHEL 9 / Rocky / CentOS Stream sudo dnf install google-authenticator -y google-authenticator # run as the user, not root
Update sshd_config to require both factors:
ChallengeResponseAuthentication yes AuthenticationMethods publickey,keyboard-interactive
Segment services with firewalld. Your database should not be visible to the internet. Just no.
# remove mysql from public zone entirely sudo firewall-cmd --zone=public --remove-service=mysql --permanent # only allow your app server to reach it sudo firewall-cmd --zone=public \ --add-rich-rule='rule family="ipv4" source address="192.168.1.50" port port="3306" protocol="tcp" accept' \ --permanent sudo firewall-cmd --reload
Log everything and actually look at it.
sudo dnf install audit -y sudo systemctl enable --now auditd # watch sudo usage in real time sudo journalctl -f | grep sudo # check recent auth events sudo ausearch -m USER_AUTH,USER_ACCT -ts recent
Review access regularly.
# who has sudo access right now sudo grep -r 'ALL=(ALL)' /etc/sudoers /etc/sudoers.d/ # accounts that haven't logged in recently sudo lastlog | grep -v 'Never logged in' | grep -v Username
What Zero Trust is NOT (vendor edition)
It’s not a product. Every security vendor on earth will try to sell you a “Zero Trust solution.” Some of those tools are genuinely useful. None of them are Zero Trust by themselves. You can buy all of them and still have a fundamentally broken architecture if the thinking isn’t there.
It’s not all-or-nothing. You don’t flip a switch and achieve Zero Trust. You improve incrementally. MFA here, segmentation there, least privilege everywhere you can reach.
VPN is not Zero Trust. A VPN puts you inside the perimeter. That’s literally the opposite of what Zero Trust is about.
”Zero Trust means trusting nothing ever” is wrong. It doesn’t mean trust is never granted. It means trust is never assumed. Big difference. One is paranoia, the other is architecture.
Final checklist: audit where you stand
# 1. root SSH login is off sudo sshd -T | grep permitrootlogin # 2. password auth is disabled sudo sshd -T | grep passwordauthentication # 3. MFA is configured sudo grep pam_google_authenticator /etc/pam.d/sshd # 4. firewalld zones are intentional sudo firewall-cmd --get-active-zones sudo firewall-cmd --zone=public --list-all # 5. no unnecessary services exposed sudo firewall-cmd --zone=public --list-services # 6. sudo is scoped sudo grep -r 'ALL=(ALL)' /etc/sudoers /etc/sudoers.d/ # 7. app processes not running as root ps aux | grep -E 'httpd|nginx|mysql|postgres' | grep -v root # 8. auditd is running sudo systemctl status auditd # 9. no dormant accounts with active permissions sudo lastlog | grep -v 'Never logged in'
Nine checks. No enterprise software required. No security budget needed. Just understanding the model and applying it on purpose, one layer at a time. That’s it. That’s Zero Trust.