Designing A Linux Distribution For NASA?

Zenker asks: "At NASA we are offering Linux as an alternative to Windows for anyone who wants it. I am working on a contract that puts a new computer on everyone's desktop and we will provide support and services for them. I need to assemble a distribution that will have all the necessary applications without flooding them with numerous option. I don't want to support every word processor and every spreadsheet out there. A good security policy is also necessary. What distribution would you use as a base for supporting a few hundred Linux desktops? Which applications would be standard for your office suite? What would your security policy be?"

Ahh, OK, my .02 USD from marginal similar exp.

[StandardDeviant]

I have admin'd in a few middling-large environments (one, at a math dept with ~450 desktops, the other, at a chip designer firm with ~300 (and ~150 nodes in a sim farm); these numbers are subject to my bad memory). There are a few tips I have arrived at and have observed others say that may help:

One: NFS mount /home. Preferably not off of a linux NFS server, apparently Linux still isn't as good as, say, Solaris WRT NFS serving. Also note that, in the linux distros I've used in NFS/NIS environments, if the NFS/NIS server goes down and comes back up, the Linux clients can exhibit "odd" behavior. odd == {not coming back up, etc}. Both the client and server NFS funkiness may not be an issue with the new kernel, btw. This allows for _much easier_ centralized backup {tape library, raid, whatever). I imagine you already have your own network-centric user authentication system like NIS(+), ldap, kerberos, whatever. A second benefit to this is that of a user's machine dies, and you have a stock of "premade" workstations, you can just plug it in and they're back up. This requires a minimal bit of education WRT "keep all your shit in /home" but it's worth it.

Two: (this from an article written by the head admin @ RH). Use a source control system for your config files. That way you can track versions, changes, retrieve old versions, etc. CVS was the referenced system. This makes mucho sense when you think about it, as config file nightmares are enough to give the sturdiest admin pause.

Three: security is of course a combination of many things. network security is outside of the question's space, and I assume you already have that aspect covered anyway (NB: openbsd makes a kickass firewall router if you are looking for a cisco/lucent/whatever alternative). WRT host-based security, just turn off all the services you don't need. That's step #1. Axe inetd. Use shadow/MD5 passwords, or customize the distro to use something else secure (OTPIE, kerberos, isn't there encrypted NIS+ transmission?, et al. (the places I've worked at haven't been more paranoid than shadow/MD5 for the workstations)). Have a centralized loghost that you spend a LOT of time securing. (OTPIE == one time passwords in everything. a google search will pull it up; I think it's dicussed in the ORA Practical Unix and Internet Security book). There are other tweaks that can be done but I think what I've described will take you a long way. There is a book on the LDP (Linux Documentation Project) called Securing and Optimizing Linux that was IIRC pretty good.

The previous posters were all pretty much dead on that a pre-extant distro is probably what you want to start with. Either debian or Mandrake/RH would do fine. Debians package management system is pretty neat once you get used to it. Mandrake has an interesting install-time option that lets you affect system security on a wholescale level (file and dir permissions, su-ability, blah blah) via a selection box ranging from "Hello, Crackers!" to "Insane" or some such. Of course you may also have the resources to build a distro effectively from scratch to exactly fit you needs. Whatever works. I will say the one-step installs like KickStart (RH/?Mandrake?) or a Big Ass (tm) shell script launched from a boot/root floppy combined with a central media mount point (e.g. an NFS'd cdrom or a FTP dir) are _nice_ when you have 100s of machines to install. There was an article in the most recent LJ (maybe it was the one before that) about this.

WRT apps, StarOffice is OK. It gets the job done but you'll probably want 128+ MB of ram and a 400+ MHz processor. Browsing with Netscape is tolerable as long as you don't expect much. Groupware is a whole other thread in the making, and has shown up at least three times here on /. in the past week. That's probably the common subset of functionality the users will need (i.e. progammers and secretaries both check mail). After that, well, it depends on the users. If they're programmers, well, linux is a programmer's _dream operating system_ IMNSHO. As far as desktops go, I know that gdm (gtk-using-update of xdm) can launch different sessions selectively. So give them kde, gnome+(E/fvwm2/Afterstep/Whatever), or any other combo of things your black sysadmin heart desires and let the users choose what they like the best. StarOffice, Netscape, and xterm/rxvt/et.al. work the same in pretty much any desktop environment. KDE is particularly easy for most win32 users to adapt to.

Sorry if it seems like I have babble mode on, but I'm up late. ;-) Good luck! I'd offer to help in person (I'm in Texas, so is JSC, so there's a chance we're in the same area code) but I somehow doubt a national agency is going to be thrilled to have a 22-year-old goth punk who is probably utterly incapable of getting a security clearance (for pretty much all the reasons you could think of except being a spy for a foreign power) poking about their network...

Last tangental thought: ask the fellows over in the NSA about how they did it. Since they just released NSALinux v.01 or some such they have probably tested its use internally and in a similar environment (.gov, $security++). Maybe you could collaborate to produce some guidelines for other .gov agencies looking to make the switch (USDOC-STD-1234-ABCD-LMNOP no doubt ;-) )...

--