Posted January 19Jan 19 You are reading Part 28 of the 57-part series: Harden and Secure Linux Servers. [Level 3]This series covers progressive security measures, from fundamental hardening techniques to enterprise-grade defense strategies. Each article delves into a specific security practice, explaining its importance and providing step-by-step guidance for implementation.To explore more security best practices, visit the main guide for a full breakdown of all levels and recommendations.The Principle of Least Privilege (PoLP) ensures that users, processes, and applications only have the minimum level of access necessary to perform their tasks. This helps:✅ Prevent accidental or intentional system damage from overly privileged accounts.✅ Reduce the risk of privilege escalation attacks (where attackers exploit excessive permissions).✅ Limit the impact of compromised accounts, reducing what an attacker can do.By following PoLP, you minimize security risks and increase overall system resilience.How to Implement PoLP in Linux1. Restrict sudo Access (Limit Privileged Commands)Instead of granting full sudo access, allow only specific commands per user.Edit the sudoers file securely:sudo visudo Assign specific privileges to a user:username ALL=(ALL) NOPASSWD: /bin/systemctl restart nginx (User username can restart Nginx but has no other sudo privileges.)Restrict sudo access by group:sudo groupadd limitedsudo sudo usermod -aG limitedsudo username %limitedsudo ALL=(ALL) NOPASSWD: /usr/bin/systemctl restart apache2 (Users in the limitedsudo group can only restart Apache.)2. Limit Permissions on Critical Files and DirectoriesRestrict write access to system files:sudo chmod 644 /etc/passwd sudo chmod 600 /etc/shadow Set user-specific file permissions using ACLs:sudo setfacl -m u:username:r /var/log/syslog (Grants username read-only access to /var/log/syslog.)3. Apply Least Privilege to Database UsersInstead of giving full database access, assign only necessary privileges.Create a MySQL user with restricted access:CREATE USER 'dbuser'@'host' IDENTIFIED BY 'strongpassword'; GRANT SELECT, INSERT ON database.* TO 'dbuser'@'host'; (User dbuser can only SELECT and INSERT in database, not DELETE or DROP tables.)Revoke excessive privileges:REVOKE ALL PRIVILEGES ON database.* FROM 'dbuser'@'host'; 4. Enforce Least Privilege for Services and ProcessesRun applications with non-root users:For web servers (Nginx/Apache):sudo useradd -r -s /sbin/nologin webuser Update service files to use a limited user:sudo nano /etc/systemd/system/myapp.service [Service] User=webuser Group=webgroup Restart the service:sudo systemctl daemon-reload sudo systemctl restart myapp Use chroot to isolate applications:sudo chroot /var/chroot/myapp 5. Monitor Privileged Actions and Enforce Least Privilege PoliciesCheck who has sudo privileges:sudo grep 'sudo' /etc/group Log and monitor sudo usage:sudo cat /var/log/auth.log | grep sudo Use auditd to track privileged commands:sudo auditctl -w /etc/sudoers -p wa -k sudo_changes Best Practices for PoLP Implementation✅ Regularly review user and service privileges to remove unnecessary access.✅ Use Role-Based Access Control (RBAC) where possible to enforce permissions per role.✅ Limit access to root and admin accounts, and require MFA for administrative logins.✅ Apply the least privilege principle to automation scripts by using dedicated service accounts.By enforcing the Principle of Least Privilege (PoLP), you reduce attack surfaces, prevent privilege escalation, and enhance overall system security.
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.