To implement User Privilege Management with role-based restrictions and ensure regular audits on an Ubuntu 24.04 web server, we’ll follow a more comprehensive approach. This guide not only covers the basic steps but also introduces security best practices, advanced auditing techniques, and system hardening to create a robust, secure environment.

Step 1: User and Group Management (Role-Based Access Control)

Role-based access control (RBAC) ensures that users only have access to the resources required for their job roles. This reduces the risk of unauthorized access or privilege escalation.

1.1 Create Role-Specific Groups

First, create user groups based on job roles. These roles will determine the level of access to the web server and its resources.

• Create groups for roles like admin, developer, web-admin, etc.:

  sudo groupadd admin
  sudo groupadd developer
  sudo groupadd web-admin
  sudo groupadd auditor  # For auditing purposes

• Add users to groups:

  sudo usermod -aG admin adm-user
  sudo usermod -aG developer dev-user
  sudo usermod -aG web-admin web-user
  sudo usermod -aG auditor audit-user

Best Practices:

• Follow the Principle of Least Privilege: Assign the minimum necessary permissions to each group.
• Separate Duties: Ensure no single group or user has full control over the entire system, limiting potential damage in case of compromise.
• Periodic Access Review: Conduct quarterly or monthly reviews to remove unnecessary privileges from users who no longer need them.

Step 2: Directory and File Permissions

Set permissions on critical files and directories, like the web root (/var/www/html), to prevent unauthorized access or modification.

2.1 Set Ownership and Permissions

Ensure that files are owned by the appropriate group, and set restrictive permissions.

• Change ownership of web directories to the web-admin group:

  sudo chown -R root:web-admin /var/www/html

• Set directory permissions to ensure only the web-admin group can write to the directory:

  sudo chmod -R 750 /var/www/html

  This grants full access to the owner (root), read and execute permissions to the group (web-admin), and no access to others.

Best Practices:

• Limit Write Access: Only web-admin should have write access to web files. Developers can have read-only access unless they need to deploy code.
• Disable Unnecessary Services: Ensure that files and directories related to unused services (e.g., FTP) have restricted access or are removed to reduce the attack surface.

Step 3: Using sudo for Role-Based Privileges

The sudo command allows you to control which users or groups can run specific commands with elevated privileges. This helps avoid giving full administrative privileges unnecessarily.

3.1 Configure sudo Access by Role

Edit the /etc/sudoers file to allow specific commands based on user roles.

• Edit the sudoers file:

  sudo visudo

• Grant specific privileges to groups: For example, to allow the web-admin group to restart the web server but not other system services:

  %web-admin ALL=NOPASSWD: /usr/sbin/systemctl restart apache2

• Restrict sudo access to developers: Developers may need access to logs but should not be able to restart services:

  %developer ALL=NOPASSWD: /bin/journalctl -u apache2

Best Practices:

• Avoid Granting Full sudo Access: Only allow specific commands rather than blanket administrative access.
• Use NOPASSWD Carefully: For sensitive commands, require password input, but for routine tasks like checking logs, it may be safe to avoid this step for efficiency.

Step 4: Implementing User Auditing with auditd

Auditing helps track user activities and can alert administrators to suspicious behavior. The auditd daemon is a robust Linux auditing tool.

4.1 Install and Configure auditd

Install the audit daemon and configure it to monitor sensitive files, commands, and user activity.

• Install auditd:

  sudo apt install auditd audispd-plugins

• Enable and start the service:

  sudo systemctl enable auditd
  sudo systemctl start auditd

4.2 Set Audit Rules

Audit rules specify which events to monitor. Common rules include monitoring access to critical directories and tracking changes to system files.

• Monitor access to /etc/apache2/ (the Apache configuration directory):

  sudo auditctl -w /etc/apache2/ -p wa -k apache-config

• Track any changes to the /var/www/html directory (the web root):

  sudo auditctl -w /var/www/html/ -p war -k web-content

• Monitor usage of sudo:

  sudo auditctl -w /etc/sudoers -p wa -k sudoers-change

4.3 Audit Log Review

Audit logs are stored in /var/log/audit/audit.log. You can query logs using ausearch or create automated alerts based on specific keywords.

• View specific logs:

  sudo ausearch -k apache-config
  sudo ausearch -k web-content

Best Practices:

• Rotate Audit Logs: Set up log rotation to prevent disk space exhaustion. Configure logrotate to handle audit logs:

  sudo nano /etc/logrotate.d/audit

  Example log rotation configuration:

  /var/log/audit/*.log {
      daily
      missingok
      rotate 14
      compress
      delaycompress
      notifempty
      postrotate
          /etc/init.d/auditd reload > /dev/null 2>&1 || true
      endscript
  }

• Monitor Privileged Access: Keep an eye on logs for suspicious sudo usage or access to restricted areas.

Step 5: SSH Configuration and Access Management

Ensure that SSH access is restricted to authorized personnel and disable unnecessary features for increased security.

5.1 Disable Root Login via SSH

Allow users to log in with their own accounts and use sudo to gain root privileges. This prevents direct root login over SSH.

• Edit the SSH configuration:

  sudo nano /etc/ssh/sshd_config

• Set the following options:

  PermitRootLogin no
  PasswordAuthentication no  # Enforce SSH key-based authentication
  AllowGroups admin web-admin  # Restrict SSH access to specific groups

• Restart the SSH service:

  sudo systemctl restart ssh

5.2 SSH Key-Based Authentication

Disable password authentication and enforce key-based authentication for added security.

• Generate SSH keys: On the client machine:

  ssh-keygen -t rsa -b 4096

• Copy the public key to the server:

  ssh-copy-id user@your-server-ip

Best Practices:

• Use Strong SSH Keys: Ensure SSH keys are at least 4096 bits for stronger encryption.
• Limit SSH Access: Only allow necessary users and groups to access the server via SSH.
• Implement Fail2Ban: Use fail2ban to block IP addresses after repeated failed login attempts.

Step 6: Regular Security Audits

Ensure that your server undergoes regular audits, including checking user access and system vulnerabilities.

• Check for Unused Accounts: List all users and disable or remove any that are no longer needed:

  sudo cut -d: -f1 /etc/passwd
  sudo userdel -r unused-user

• Review Active Group Membership:

  getent group admin
  getent group web-admin

• Run System Security Audits: Tools like Lynis can help audit your server for security issues:

  sudo apt install lynis
  sudo lynis audit system

By implementing these best practices, you’ll have a highly secure Ubuntu 24.04 web server with tightly controlled user privileges, regular auditing, and minimal attack surface. This setup ensures that only authorized personnel can access critical resources, with extensive logging and auditing for accountability.