Slashdot Mirror
Locking Down Linux Desktops In an Enterprise?
supermehra writes "How do you move 300 desktops, locked down with Windows ADS Group Policies (GPO), over to Ubuntu desktop? We have tried Centrify, Likewise, Gnome Gconf, and the like. Of course, we evaluated SuSe Desktop Enterprise and RedHat Desktop. Samba 4.0 promises the server side, however nothing for desktop lockdown. And while gnome gconf does offer promise, no real tools for remotely managing 300 desktops running gnome + gconf exist. All the options listed above are expensive, in fact so expensive that it's cheaper to leave M$ on! So while we've figured out the Office suite, email client, browser, VPN, drawing tools, and pretty much everything else, there seems to be no reasonable, open source alternative to locking down Linux terminals to comply with company policies. We're not looking for kiosk mode — we're looking for IT policy enforcement across the enterprise. Any ideas ladies & gentlemen?"
Instead of spending $$$ on bondage and discipline, how about treating your users like adult human beings?
Give users unprivileged accounts, and either
1) uninstall the "forbidden" programs
or
2) chmod them so root can access.
Piece of cake.
Or, am I missing something?
Use puppet to enforce configuration: http://reductivelabs.com/products/puppet/
Issue everyone Mittens!!!! They are relatively cheap and make it oh so hard to type terminal commands when worn.
SELinux might be worth looking into? It can do some very specific policy-enforcement, although I am unsure wether or not it can do so on a per-user or per-group basis...
well connection to the outside would be possible with certain network policies... proxy and such... but on the desktop by itself hmmm dunno
Why not use LSTP? That way you only have to worry about whatever image(s) you keep on the server.
Stay with MS.
switchting to linux would mean: more work for you, more money spent and frustrated office workers.
so expensive that it's cheaper to leave M$ on!
If you want to be taken seriously, please lern 2 spel currektly. I'm not a Microsoft fan, but it sure is annoying seeing it spelt like that.
if you are talking stand alone desktops then it's not so great. linux doesn't really have anything as good as group polices and active directory, it's part of the reason corperate networks are mostly windows.
If you mod me down, I will become more powerful than you can imagine....
When a software company cuts off an operating system at the knees as Microsoft has done with XP in order to promote you to spend more money then the albeit childish acronym of "M$" does indeed apply. The sad part is that Vista STILL isn't ready for primetime and while Windows 7 shows promise as the real Vista SP2; it is not out yet and so you are stuck supporting users on an OS which isn't even for sale anymore.
I guess the first question is: what are you trying to accomplish? Are you trying to prevent users from installing additional software locally? Are you trying to insure that particular applications get particular preferences set and users are prevented from changing those settings? What? Just saying "lock down the desktops" doesn't say what you're trying to actually do.
Remember that Unix is, in large part, designed to work correctly without needing to be locked down. Much is controlled simply by the system-wide configuration files. The rest tends to be controlled on the server side, so that users simply can't do unacceptable things regardless of how they configure their local user account.
I locked my linux box down last night with a chain & padlock.. I would say for a corporate environment you may need a bigger chain & padlock..
In linux world, there is yet to be a quick, 3 question and 1 button way to add the computer to a domain and then receive straight away:
- group policies - security and software install
- single password store (with cached passwords for notebooks that go away from the network)
- Patch update policy
The only thing linux does right is work on technologies such as DHCP that were written for OTHER unix O/S'.
Ubuntu is not interested in those things, they're more interested in making stories about koalas and hiding popup boxes.
Gnome is dead, Mono and moonlight took all their brains away.
kde is making a next-gen desktop but have yet to understand why so many IT shops have kept Windows at the office.
This is all depressing. Windoze will never be replaced at the current rate.
It ain't free but it ain't MS predatory pricing either. FTW Y/N?
Sig this!
A desktop where the user does not have su/sudo access is already pretty locked down -- the user can only write to his home directory and other directories that he/she has access to through normal permissions.
If you really want to lock it down, the user's home directory can be mounted in such a way that files cannot be executed from there.
What elso is required?
The real "Libtards" are the Libertarians!
Tripwire will do it.
The real thing not the free one.
You can get canned policies for pci compliance etc.
And now you know why Windows dominates the enterprise market.
Good luck.
Why is this insightful? It's no more insightful than saying "Linux Sux!"
Linux is fine for the enterprise desktop.
Want to lock stuff down? Don't give users root. If you want really fine-grained control, use SELinux.
What's the issue?
install microsoft windows
This one's actually got the highest score so far? WTF?
It depends on what group policies you have and what you want to do? First, don't use Ubuntu, or if you do, make sure to take the user out of the mix for sudo. Remove sudo and root access. Place everyone in LDAP and restrict / grant user access via ldap groups. Make all shells restricted shells. run ssh / vnc and an automated daemon for pushing out policy changes.
If you just manage the users properly and NFS mount applications it almost takes care of its self and don't need an extra layer of complexity.
use PXE+XDMCP and the workstations be come irrelevant
---- Booth was a patriot ----
A while ago I was daunted with the similar problem, The solution was came from a "Black Book" that IBM has out on the net, See if these help you
http://www-03.ibm.com/linux/migrate.html
http://searchenterpriselinux.techtarget.com/news/article/0,289142,sid39_gci1017088,00.html
You set up the machines to all boot over the network, from a common image, and to load all system files from a NFS share.
The only thing on the workstation is the user's $HOME directory, and some local stuff like /tmp, /var, etc.
Your users don't get root on their workstations. They shouldn't need it. This isn't like Windows, where a huge number of apps don't run correctly if you don't have admin rights. Linux is designed under the assumption that users don't have admin rights.
Maybe I'm being naive, but what more do you need?
I hate it when I make a joke and I get modded "+5 insightful". Mod the stupid comments "funny", not "insightful", pleas
I know this is a little bit off topic but how are you planning to replace Collaborative services like groupware? There doesn't exist any really good F/OSS groupware alternatives. The ones out there are really crippleware and you have to buy licensing to get at the good stuff. I guess sharepoint is easier to replace with an open source CMS.
It would help to have more information on what you want to lock down. If you want to prevent people from running as administrator and being able to install whatever they want, that's built in to Linux with the permissions set. Setup a user template for the different users you need, with different permissions for the directories, create groups and assign them to those directories and things are limited.
And using NIS+ for managing the users, you can setup users one one main server with mirrors, have users space and environment be loadable on various desktops with a common file system and other nice things. The problem with NIS are security holes but I believe later versions have addressed some of those problems, if not, I'm sure someone will comment accordingly.
I used to be an adult but then I grew up.
Perhaps you might re-examine the need to treat your desktop users like wayward children with forcible policy constructs.
Nothing is quite so onerous as some entity who believes they have possession of the one correct answer formula to which all much subscribe.
Network system and package management tools:
http://www.canonical.com/projects/landscape/landscape-tour/
I remember an article about KDE's long term strategy to be just that: an enterprise ready Desktop with fine grained policies, central administration and all the fluff that makes windows enterprise-ready and the de facto standard for the desktop.
IToday, we have a colorful disaster that isn't even as usable as its predecessor. Developers should have focused on the need for an enterprise desktop that could actually make a dent in MS corporate sales. Instead we got useless eye candy.
The fault, of course, lies with the big distributions that pride themselves on providing enterprise ready Linux. Enterprise sans le Desktop. Useless wanking. The requirements for an enterprise ready desktop are out there for anyone to see and it's not just "applications" as everyone usually points out. It's the ability for administrators to create and maintain a usable desktop according to official corporate policies. No more and no less.
locking down Linux terminals to comply with company policies
Sooo, what exactly ARE these company policies?
You know, as much as I agree with you, I wish it were not so.
More and more things are getting tied to a computer. Back in the early 1990s, a computer was generally used for number crunching and document managing. People (generally) did not use a computer to listen to music, watch a movie, meet people, or to stay in touch with one's friends.
Now people are using computers for all of these functions. It's important that things we need for daily living in the 21st century are not controlled by a single corporation with a known pattern of abusive behavior. Microsoft's latest abusive behavior--suing TomTom for having FAT32 support on their device--shows that the only thing stopping Microsoft from abusing their monopoly are antitrust laws and community activism.
This is why Linux needs to fix the issues that make Linux not a suitable desktop for end users, or why one of the other possible open-source desktop OSes (Haiku, Syllable, etc.) needs to become a suitable end-user desktop.
I use Windows right now instead of Linux because I don't feel Linux is ready for the desktop, but most of my partitions for "extra data" are formatted using the second extended filesystem (Linux's "base" stand file system) and read in Windows using ext2fsd because I don't want my data to be held hostage by Microsoft patents.
So, yes, I really want Linux to succeed.
- Sam
What's wrong with that?
That's a Microsoft paradigm, born from forcing the square peg of multi-user shared resources onto a single-user-owns-the-world system. Linux and other Unix operating systems were designed from the ground up to be secure multi-user operating systems. (And all you Microsoft-paid astroturfing fanbois who want to dispute that can FOAD. Just look at the mess that's UAC and the need for Microsoft to break it for their own use.)
Just set up default menus, and if a user mucks them up blow away the .g* (or whatever) configuration files/directories in the user's home directory.
Because anyone who knows what they're doing can run "unsupported" apps on any computer they can log onto anyway.
And that stops users from downloading and running applications how?
There is a lot more to locking down desktops in enterprises than not giving users admin rights.
Ya, NO linux based company would EVER do something like that.
www.redhat.com
What's Ubuntu's LTS support? 5 years? And how long has XP been supported? Right...
Have you had a look at Novell's Zenworks suite? Zenworks
Ryans Tutorials - A collection of technology tutorials.
Windows is more "enterprisey" than Linux, and that's bad... for Linux?
Don't forget to put the cover sheets on your TPS reports.
There's no -1 for "I don't get it."
Mod parent UP. The OP is thinking about it wrong: ie how to manage unix in the style of windows. Don't give them root and they can't install software. Make sure the home directories an /tmp is moutes -noexec and there is NO WAY that they can run programs which aren't already installed.
Now they can have free run of the system and can't do anything harmful. Still not satisfied? Remove all executables that they shouldn't run, or make them a-rx g-rx, and don't have users in the group able to run them.
You can create an RPM to do this for you, then set up the whole thing automagically using Redhat's or SUSE's tools (one is called kickstart). I suspect it is straightforward on debian based systems, too.
If you have the autoupdater running (good for security), then update the setup RPM, put it in your local repository, and sit back as all the desktops get updated with new settings.
Alternatively, you can bodge it with shell scripts and a cron job :-)
SJW n. One who posts facts.
Eat my shorts.
The user "twitter" is a twitter sock puppet. Notice the peculiar mispellings.
your pain starts when you have professionals (engineers,accountants,draftsmen)in the office that need planning or specalised applications, i wouldn't touch that with a 10 foot pole.
If you mod me down, I will become more powerful than you can imagine....
Unless users are only given a restricted shell, what prevents them from writing applications in shell script and running them?
It's either a kiosk or a fully functional Universal Turing Machine...
so much as the windowing environment. Surely kde or gnome could come up with a particular recipe that hit most of the major requirements. Maybe even have a stab at working with an AD server to download its own group policy.
Nullius in verba
...we just used a script that called useradd pointing to the appropriate skeleton directory and then called chown/chmod to keep people from modifying the rc files in their home directories.
Really smart users can probably find a way around this. But then at a company I used to work for, we could never lock down Windows NT to keep the shop floor mechanics from setting the wallpaper to a Pamela Anderson, Tommy Lee photo. So I guess its all relative. You may need users that are dumber than a high school dropout welder.
Have gnu, will travel.
You feel Linux isn't ready for the desktop, or Linux isn't ready for your desktop?
http://sourcemage.org/ - Have fun
Is he just looking for some windows-GUI-admin-tool for linux? Then he should just hire someone who knows something.
You must be new here. A good 95% of all AskSlashdot questions could be answered by saying "just hire someone who knows something."
While it is an accurate answer it's also interesting to see some of the ideas that get beat around. Who knows, this series of threads may spur someone to start a project that has real impact on Linux as an enterprise desktop OS.
Dedicated Cthulhu Cultist since 4523 BC.
For those of use who aren't in big corporate environments...what do you mean by locked down? Ability to map your home directory from the network on login? Keeping systems up to date and free of unauthorized changes? Preventing network access outside of using the company proxy server? Forbidding users from changing their desktop wallpaper?
Seems like each of those tasks is something a little different. For general administration, it seems like you could write a script that would scp your updates to each machine, and use ssh to run them. Networking, some clever use of ipchains to only connect to the proxy. The computers shouldn't allow major configuration changes without a root password, and maybe cosmetic changes could be prevented by changing ownership of the config files to root. There may not be one single gpedit.msc tool, but all the functionality is probably there.
What else is required?
If you imagine the users are school children (a good use of open source) that will try something just because they MIGHT be able to.
Everything from installs, running certain file types, giving access to certain network shares and not others, software allocation, shortcut allocation (for different users having different accessability of the software on the machine), modification of local drives, the ability to see local drives and the resetting of any of this from a central area.
Windows admins typically need some checkboxes to click in order to give them a sense of authority and accomplishment, along with some buzzword-laden "policy enforcement" protocol-speak to regale their boss with, in order to give the impression that they impart value to the enterprise.
Whether any of it is necessary or actually accomplishes anything in the way of promoting productive work or preventing users from screwing up their systems is completely beside the point.
The only point is to give the impression that the admin is in "control" of the "network systems". The fact that a stray boot floppy or any of a handful of zero-day exploits (or even something as mundane as an end-user hacking around restrictions with links to cmd.exe and rundll) completely undermines their "authority" makes absolutely no difference. To the average pointy-haired-boss, Windows is a bastion of command and control (and therefore productive employees) and their trusty Windows admin is the gateway to maintaining law and order in the corporate environment.
"I assumed blithely that there were no elves out there in the darkness"
Paws... Then they could have Caps Paws...
But, if Puppet offers tiered services, then you can evaluate the... Puppet Tiers (LOL)... Then controlling the employees simply becomes a matter of ... pulling strings...
Previously: "Linux... Toward the Sunrise..." Now: "Linux... Toward the-- No, now, part of Every Sunrise"
I'm not much of a Linux admin, but I have noted that if you have a big beefy .45 in your hand, it gets people's attention and they tend to stay a little more focused on the idea you are trying to get across to them... ..just sayin'
It's actually pretty easy if you approach it in a Unix way.
I've worked in this sort of setup with Solaris. We had a pile of geologists - scientists who couldn't work computers - with super-powerful Solaris workstations.
Their logins were served via NIS. Their home directories were served via NFS. The application directories were served via NFS. The machines ran the software locally, but it was loaded from the remote directories. Their home directories were backed up reliably. Any machine could be jumpstarted at any time, on the rare occasions we needed to tweak the local OS. Anyone could log in at any machine and have THEIR environment.
The most annoying part is that no machine used more than a few gig of disk (for Solaris 8), so we had hundreds of gigs of unused space. We'd make it into scratch disk for those who asked nicely. "This is NOT recoverable or backed up. It could be DELETED IN AN HOUR." Of course, some bozos kept stuff there for weeks and complained when their machine failed that we hadn't backed it up ...
So, precis:
* Apps over NFS
* Homes over NFS
* User logins over NIS
* Jumpstart/Kickstart all boxes.
http://rocknerd.co.uk
Have you tried this: http://www.canonical.com/projects/landscape There is a 60-day trial. In our group's testing, it had most of what was needed to keep a set of Ubuntu boxes running, though there was a need for some custom scripting to get machines into and out of the management environment for the total lifecycle. You also will likely need a Tripwire or other file permission monitoring cron job, to make sure that USB/CD boots of the machines do not allow file ownerships to be reset. Ideally, you'd like a configuration script you could run weekly, to whack a machine back into the desired configuration -- and flag machines that keep being moved out of the org's desired config by "creative" user actions. 'Hope that helps. RAH
Want to lock stuff down? Don't give users root.
Knowing what policies they're talking about might be helpful because I had the same question. What policies would require root level access? White list the proxy. Backups, share drives, printing...we have all those services on our Linux desktops. We can remote in and install any software they need...??? What policies can't be handled by a user account?
Maybe I've been away from Windows networking too long, but I can't think of why you'd need to do this.
That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
Sounds like you want FreeIPA, currently it only support identity management, but according to the roadmap, version 2 sould be out in april/may sometime and will support policies and auditing....
http://freeipa.org/
I suspect that a lot of the people responding don't have a lot of experience working with GPO and active directory, for instance. In a *nix solution, the OP would need:
1. User management. This means a centrally managed server where you can query and change all user attributes and permissions. This means from this central server, you would be able to activate, delete, or inactivate a user across the enterprise with one click.
2. Active Directory Services equivalent. A carry over from part 1, instead of using local /etc/passwd /etc/shadow, it has to utilize a central logon system. Passing huge lists of users/passwords around to every workstation, even over secure tunnels with cron is bad form. And it will not update automatically whenever a change on the server mentioned in point 1 is made, you'll have to wait for the next cron / push.
3. Granular control of users. Consider two users logging into one terminal. One user has unfettered outbound network capability, for instance this user can create smb connections, connect to ssh services on other machines, and browse the net. The second user should have GUI access to applications only and not be able to browse the web, but can create smb connections to allow file sharing.
Something like above... its not a simple matter of protecting the system, but the ability to segregate users with a central management system.
If you're not doing this anyway, your network really doesn't have any policies on it.
You can set up local machines to "just work" for the users, even offer some level of prevention of idiocy of them messing up the settings, but essentially you need the locking down to be done in an environment that you have control over, i.e. Switches, Servers, etc.
Of course it would help if we actually knew what "locking down" you were attempting to achieve. Pretty much the only things I can think of that might be needed to be done at a machine level, is really "childproofing" stuff like, forcing a user to have the company background, and making them have a set web page as their home page. All the rest can be done with securing your network, and installing the correct programs and not letting the user have sudo/root
Master password with automated ssh shell scripts solved this problem with a recent 10000+ Linux client installation. One ISO image deployed with work applications, one server to rule them all.
Don't deploy Linux/Windows/Mac unless you know what your doing.
Enjoy.
Personally I think that there is a profound difference in computing culture between the M$ corporate and the posix environment. Because of the nature of non-academic organizations and the overabundance of people who either know too little or too much for their own good, M$ corporate IT policies are built on mistrust of the user and protection of the companys expensive resources, which happens to include, employee time. That would mean that giving users just enought rights so that their actions wont harm the operations of the system isnt good enough. I have customers who want to control how data is being copied out of the system - while giving the user full rights to edit the same data. "Copy", it seams, is not the same as "Read access" as far as how companies want to use data is concerned. But then again, thats a problem on an M$ platform as well...
SELinux, ACLs, custom repository, AutoFS, and SSH for remote management. Done.
If it's cheaper to stay with a Microsoft-based infrastructure, then stay with that. Creating massive infrastructure-wide group policies that go from desktop to web browser is sort of a windows thing. If you're going to maintain security policies in a linux-based system, you better be prepared to start thinking in Unix- that means remembering that you're using a network-based system, not a locally-oriented system on a network.
If you're setting an IT infrastructure, the costs you're cutting on licensing will probably bite you in either support, security, training, or usability/productivity. There's no such thing as free software, I'm sorry.
CFEngine can be used to enforce IT policies on UNIX desktops, servers, etc.
It's free and works quite well. All of the large enterprises I've ever worked on use this extensively.
http://www.cfengine.org/
Why not use LSTP? That way you only have to worry about whatever image(s) you keep on the server.
Better yet, use LSD! Then all you have to worry about is why those images are talking to you.
Anybody want my mod points?
http://nvd.nist.gov/chklst_detail.cfm?config_id=58
Unless users are only given a restricted shell, what prevents them from writing applications in shell script and running them?
It's either a kiosk or a fully functional Universal Turing Machine...
Well, one way to do this is to mount the users home / groups with the noexec flag. Only the system partitions should be mounted with execute permissions, and the users shouldn't have any write privileges on them.
Ever stop to think
Normal business is when a virus spreads. Scanning for viruses is not a bad thing and performance should not trump security. This is called being pro-active which is ideal when dealing with computer security. Only scanning for virus's at night is call reactive, which is bad when dealing with computer security.
Also, the IT department is responsible for the network and security of the network. If they make a policy that no linux machines can be on the network then what is the issue? Tight control over computer resources by IT staff is certainly best practices for a secure network.
Granted, Linux desktops are more likely to be safe than Windows desktops, but administration time is also very important. Centralized policies such as a Windows Domain is much easier to manage than a hodgepodge of various desktops with no way to enforce policy.
Your idea that Microsoft hires trolls to submit questions to Slashdot holds up for no more than approximately 3 seconds.
agreed. I am quite at home with bash scripts and can do a ton of mischief on a wide open Linux desktop. how about denial of service attacks from within the network? how about creating a local email relay by creating an ssh forward and connecting out? think you can clock it? how about running ssh over 443 so that you can skip the firewall?
noexec doesn't prevent: perl ./some_script_here
The point is, you can lock machines down reasonably well just by not giving out the root password. Sure, a user can mess up her home directory, but she can't damage system directories.
Groovix is based on Ubuntu, has a single point of control, and is designed for public computers so it has lock-down capability. It is open source and could probably be modified to do exactly what you need.
It does if you don't give them exec priveleges on perl. Or anything under their home dir....
There are ways.
Install all the computers from the Ubuntu Server disk, so no games get installed by default. This will give you a basic commandline-only working environment. Then, install only a desktop environment and all the programs you need, nothing else. If you must use the desktop installer disk, you can simply uninstall all the games. After that, simply remove the users from the sudoers group, keep the root password secret and cryptographically secure (ideally a 60-character randomized string from /dev/random,) and no one will be able to install any games or anything.
I understand that corporations want this as a requirement. Its inherently impossible to get right, just like GPO is.
If, on the other hand, you only care to inconvenience your more clueless end users, no problem.
a programmer. So, i'm thinking STTNG Technobabble.
The real solution is to create in the next releases of Linux the requisite hooks and sockets and desktop and user controls that are powerful in and of themselves, but install a minimalist desktop.
When users (home or corporate) want to install non-compliant apps, then force the user into a sandbox (maybe a virtual machine?), deny full functionality, and deprive writing to the hard drive. But, also deprive writing to ports and attachable devices or network paths, too.
This would force users to SCREAM at the developers. This would then separate the cruft of apps from the productivity apps. Channels or pipelines for wishlists and demand lists would rekindle the Open Source development cycles into more coherent, unified, productive activity. Right now, we just have boatloads of apps of dubious broad value, but certainly of value to someone or some-few.
If the apps in high demand are more coporate in nature, then these need to be touted before, during, and at full compliance. Fighting microsoft on this front is not sensible until and unless IT directors have no sensible room to argue. Some here say without root the users cannot install apps. Excuse me? I'm not root, and i am able to install some apps, albeit in my own directory. I am not an admin, and lately haven't investigated depriving myself of install capability, but, honestly, isn't possible to install apps in a system even if the user is not part of the root or similar groups?
Just to learn this myself, i will set the system (mine is Mandriva 2009 Free) to maximum and remove the test user from any priviliges that are apparent to me. Again, not being an admin-grade person, i might be able to figure out .skel, but if i were a small mill or machine shop manager who is semi-savvy, i should be able to read provided documentation, and the distro should provide more sensible, understandable, meaningful tools.
In theory, it should be possible for someone out there (programmers?) to create scenario/discovery tools (some exist, some are undersupported) so that small shop IT-hat-wearing managers can:
-- inventory their devices/nodes
-- apply communications limitation (inbout and outbound)
-- test those by trying basic attacks
-- test those by simulating internal user attempts to circumvent admin-impose limitations
-- viewing results of the system/LAN/WAN/VPN check
-- (fill in your favorite, righteous concern/s)
Does anyone make a distro that is designed to forensically one's own network from outside but includes plugins that identify the probing machine as a legitimate unit of the network being tested? (YESSS, I've visited Linux.org...) This would alleviate needing to pre-notify the ISP not to unnecessarily monitor or shut down the traffic, an not to report the police on them.
Previously: "Linux... Toward the Sunrise..." Now: "Linux... Toward the-- No, now, part of Every Sunrise"
The problem that the poster put forward is a serious one. I must say I have no solutions for the poster! Sad indeed.
But what is troubling is the fact that the first 61 comments offered *no* solution to the problem at all! What does that say about we slashdotters?
Many of us are Linux advocates. My first thought for him was KDE's Kiosk tool. It turns out he knew about it and it does not meet his needs.
Let's be serious on this matter...please. By the way, there is money to be made in creating a tool to accomplish what he wants done. Extending KDE's Kiosk Tool to do the job should not be hard.
By blocking them out of root access, they can't download a package like a .deb or an .rpm & install it. If they somehow manage to figure out how to download and compile a tarball, all they can install it to is their own home directory. I'd say, best way to do it is make sure they don't have compiler access. So, take them out of the sudo users group.
Understanding the scope of the problem is the first step on the path to true panic.
Not true.
Sure, they can write stuff in shell. Now, what are they going to do?
If you've set up the firewall nicely you can stop outgoing stuff as well as incoming. You can restrict access to interpreters like perl and compilers for other languages. You can stop them running stuff out of home and force it to be data-only. Hell, if you use SELinux you can allow particular executables to run/access particular files and not allow anything else to.
Make an image, have it retrieve new rules when needed, away you go. Hell, if it's debian/ubuntu base you could set up your own package repository for security policies.... Now I'm getting into complex territory, but this stuff is all possible.
Not to say it's necessarily easy, but UNIX admins have been carefully guarding the rights to things and restricting user privileges for at least a decade longer than windows existed, it's a solved problem.
Turing machine it may be, but you don't have to give permission to access resources for it to be a Turing machine, just provide a mathematical way to solve any given (solvable) problem.
The solution to this is really easier then everyone makes it out to be... and is super cost effective. DHCP PXE boot all your desktops off of a NFS root filesystem. I did this at my old job with RedHat Enterprise 4 and 50 clients and it works wonders.. at 50 clients we had no speed problems, any more than that and make sure your investing in Gigabit NIC's... or segment your network into multiple DHCP vlan's with mutltiple PXE servers (one for each department works nicely.) There is only one filesystem to manage.. and installing software couldn't be easier. What's neat is when the server needs an emergency reboot and everyones desktops freeze up until the server come back online... then everything returns to normal :) talk about ultimate control.
I'm glad this question came up. I read somewhere that 2009 was going to be the year of Linux on the desktop.
I Heart Sorting Networks
Locking Down Linux Desktops In an Enterprise?
We leave our security in the hands of Mr. Worf.
I work for the Department of Redundancy Department.
Couldn't be as easy as adding to fstab to automount the certain departments directory or adding the network drive to grub then setting auto login
When we see men of a contrary character, we should turn inwards and examine ourselves.
One word, Bigfix
How's about I set up iptables to disallow any incoming connections then?
That would slow your relay down. And how are you going to DoS whenyou don't have access to netcat, any compilers or interpreters? Hell, I could stop you even running an xterm...
You can do any/all of these things from windows too. I have yet to see a machine that could do anything useful at all that I couldn't also download and then run PuTTY on.
Scanning for viruses should not trump user education. The IT commonsense to not dismiss every damn prompt or to assume that the AV will catch everything does not apply to the regular public. Even at a techie level, most of us are still doing things we know we shouldn't.
Quick raise of hands, who's reading all this on an admin rights enabled account right now?
"Common sense will be the death of us all"
Try disabling USB and removable drives, and maybe fire whatever morons can't be trusted not to fuck up a simple PC or burn time surfing Ebay.
IMHO, if your company needs to lock computers down that tight, your employees must be a bunch of fucking chimps.
Or possibly management is control freaky in a very Stalinist kind of a way.
Either way, I'd probably not like working there. Sorry if you don't find this helpful, but company policies like this are one of the major reasons I'm self employed.
Okay, you do for a bit, but I think that you are kind of missing on the way we think about this kind of stuff...
I have a fully working environment for this. Granted, my guys use window maker and a couple of java apps, no flashy stuff nor a lot of apps, but a very speciffic setup. This makes things simpler.
All in all, you can say you have this GPO's in place and that they work, and for some cases they surely do, but most big shops I know, even while havind MSAD, have to distribute ghost images for most important policies anyhow.
Now, to the point, how do we do this? Well, it takes some knowledge of your desktop tech, but you can concoct debs that would run scripts for whatever stuff you need to config in the boxes (I do it with rpm based distros), distribute only locked down clients (no root access for the lusers, please!), and presto, youre good to go.
Well, "presto" doesnt cut it: you will need to really know how to config gnome and to thoroughly test in-house for any change you want to distribute, but once that is done, you simply put a deb in a dir and it will be autoinstalled by the cronjob you set up in all boxes.
Now, in Red Hat Enterprise, this is sort-of automated using RHN Sattellite. This starts at 5000 USD for small setups, and goes all the way up to 13k and 20k if you count in services, but for some stuff it might be worth it (you can BMP boxes and stuff with that).
Another, simpler way, although thats "cheating", is to consider thin clients: much less stuff to push around.
There, hope that was helpful.
NO SIG
Goes without saying that if you've got specialised applications that will only run on one OS that you use that OS, really.
I find it genuinely funny that not so long ago people would have made that argument and SGI or other big commercial UNIX workstation vendors over MS Windows...
And that was the point of the story. Where are the tools that make this as easy as it is on Windows? Sure, it is possible - it is just prohibitively expensive compared to the alternative.
What about Ubuntu?
"I like it when the red water comes out.."
I can't help but laugh...
and the obligatory "I told you so!"
OS X???
No, coming only seven minutes after your post it's probably you, reduced to shilling your own posts in AC mode, because the score of an anonymous coward is higher than all your sockpuppet accounts, which post at -1 by default. So with an AC post under it, you actually call attention to your already buried musings.
Speaking of sockpuppets, the actual "warning" posts appended to your comments always include this link, which is conspicuously missing from your AC post as well.
No need to thank me, I'll be here all week.
Something simple like LDAP, which will give you network/system wide user management, and Puppet, which will give you system management, should let you be able to do everything you did with AD containers.
Just like with AD domains and forests, its important to take your time in prepping and testing your setup before deployment, avoid a lot of headaches and crabby users.
Mainframe... group policy...
ROFLMAO!
Is he afraid of people with root access messing up stuff on the computers -- his answer should be found with SELinux policies.
Next question: How do you manage SELinux policy on 300+ computers? Oh right, set it and forget it + ssh for loop. Good luck with that.
My windows shows porn just fine... what else do you need it to do?
You start working on the network level and assuming users can and will break your security.
Put users in groups on an LDAP/Active Directory server. 'sudoers' have root access, others don't. 'fuse' has access to run fusermount to mount FUSE file systems. Users in a certain group can access removable media, users in other groups can't.
You used to be able to force users to use a proxy server on Windows. This was a lie; Portable Firefox ran just fine. Removing execute permissions on removable media, /tmp, and /home stops this from happening on Linux. Further, you can use a transparent HTTP proxy (Squid and some fancy firewall settings) to force all connections across Port 80 through any proxy server of your choice; welcome to actually securing your network. You could also firewall outgoing connections not using your SOCKS5 server, forcing users to (gasp) leave the proper firewall configuration in place or not use the Internet!
A lot of what "Group Policy" does is limit applications by configuration. A lot of this can be evaded by the user. The only other thing you need (which we really, really need) is the ability to push out software profiles and force packages to be installed/upgraded, so you have machines with whatever apps you do/don't want on them. The other useful component is basic system-wide configuration, which users shouldn't be able to edit on their own anyway (don't believe it-- being able to force this is actually useful, but also auditing the changes that shouldn't be happening...).
Support my political activism on Patreon.
my partitions for "extra data" are formatted using the second extended filesystem (Linux's "base" stand file system) and read in Windows using ext2fsd because I don't want my data to be held hostage by Microsoft patents.
Your problems are bigger than just Microsoft, and they will only be solved with the proper counseling and medication. Illogical paranoia of that level is only going to lead you further down a path of harm to yourself and those who care for you.
"When you see a unixer brainwashed beyond saving, kick him out of the door." - Xah Lee
IMHO, you don't have any FLOSS option to achieve your needs as of now. But in the very near future FreeIPA(http://www.freeipa.org/) can fulfill most of your requirements . The current version(1.2.1) implements full centralized authentication with LDAP backend. But does not have things like group policies and selinux support. Its proposed to be there in version 2 which is due in another 2-3 months. Development of the project is very fast and is a very stable software as of now itself. See the road map for version 2, http://www.freeipa.org/page/Roadmap
Look like OP knows more about microsoft tools than unixish tools. I find that quite distasteful for slashdot, and even maybe trollesque.
Many of the things group policy can do has nothing to do with "security" or "preventing users" from doing anything. It has a lot to do with quickly standardizing departments, offices, rooms, or whatever your business structure is.
When you move a computer to a different department you simply drag the computer in AD to the different OU and BAM! That computer now gets everything new with its policies. There's no bringing the computer in to the IT department and reloading its configuration with "Configuration A for Department B".
A lot of this can be done by netbooting the computer and letting it grab its configuration from the filesystems it points to.
The configuration files (mainly in /etc) can contain the default startup scripts for the department's configurations. If you REALLY need to limit what apps the user can run, point to binary and library directories that don't contain anything the user mustn't have.
Move it to a new department? Change the entry for the machine on the DHCP server. No need to pull it in for retweaking.
This also means you don't need to have the OS and apps on the machine's own disk. You have a single copy of each kernel, utility, and library on your fileservers. You can use the whole disk for swap and /tmp. No individual
installs. No local copies. Save the disk for stuff where fast access is needed but is all volatile. Meanwhile the cache take care of unloading the fileservers and network.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
The learning curve is *STEEP*, but it pays off in spades. Nothing comes close to the lockdownability of GRSec. www.grsecurity.net
Be Safe! Sleep with a Marine. Semper Fi!
Strawman, strawman, strawman. Why do you keep bringing up ssh in a loop while willfully ignoring puppet and cfengine?
Most hypervisors allow you to discard changes to a disk on restart. If you segregate, OS (possibly programs) and data disks then you can use umask and ACLs to restrict execute permission on the data. The user can't add new programs to the OS partition because they don't have permission then they can't add new programs to the data partition. If they somehow do manage to make changes to the OS then those changes get discarded after every VM restart.
Home directories can also reside on a partition mounted with noexec and access to any script interpreters on the system controlled with perms/acls.
... working for you if they won't voluntarily follow policies. Sure, you need to make sure someone else doesn't take control of the computer from you and them. But Linux doesn't (yet) have any significant virus issue. If your staff do things against policy, there's plenty of other people out there that would be glad to be doing that job, probably for less.
now we need to go OSS in diesel cars
How about building a package for each policy item that uses install/uninstall scripts to make whatever changes are needed, and includes policy-specific config files and putting them into your own repository, then making a package for each policy group that is dependent on the appropriate policy packages. Install the policy group package during your install process and policy updates can be tracked in the regular patch process.
I am curious. How would you solve the Perl problem in windows? /home as noexec).
If the user don't need to run perl scripts at all, then the solution is simple both with windows and linux. Don't install perl and prevent the user from installing any software(Linux: Mount
But what if the user need to run a specific set of perl scripts, and nothing more then that?
Let me try and predict this one: "[Problem they've randomly had in the last two years and didn't bother to research or bugfix] is the biggest issue in desktop Linux. The developers have lost touch because, for example, [anecdote that offers no valuable bug-ridding information, or even enough to replicate it], showing that [Problem] is still a big of a problem as it was four years ago. I've seen [however instances they've seen it, plus four] instances of this issue in my computer but also in other's, and it refuses to be fixed because Linux is simply put, not user-friendly or stable in the least bit. It's things like these that make me draw the conclusion that Linux is simply not ready for the desktop."
Use ldap or equivalent for user authentication along with pam. Give all regular users rbash as their shell and put them in groups that don't have permissions to do anything. Only give sudo to administrators. Run sshd on an off port, disable root login and uses DenyUsers, AllowUsers, DenyGroups, and AllowGroups in your sshd_config. Use Cfengine and apt to push configs/updates. Use open tripwire or equivalent to check for unplanned file changes. Use iptables and if you want setup /etc/hosts.allow and /etc/hosts.deny. Set up a apt-mirror server for all updates and custom packages and configure auto updates. Use apt-get remove to uninstall all the packages you don't need. Stop all unneeded services. Set up a samba or nfs share and use pam_mount to mount the shares.
If you don't get it 100% at first don't worry. Its easy to make mass changes and tweaks with Cfengine and your apt-mirror.
The amount of people here that just don't get it is truly astonishing, especially for a supposedly IT savy crowd. IT policy enforcement is not all about locking the users out or preventing them from doing damage. No it is not good enough to have a network policy that prevents them from using the wrong proxy or not giving them access to change programs through a nicely locked down image, no you can't just trust the users to do the right thing or act like adults (many of them don't).
Group Policy lockdown and management is about flexibility and enforcement of a potentially constant CHANGING policy without the users having to do anything (sometimes idiotic management policy). Today X users need these 10 apps, tomorrow that department is renamed and needs these 15 apps instead and to point off to this proxy server or that printer, next week 4 of those users move to department Y but still keep the same computers and need all the new departments policy, all incredibly simply things to do with Group Policy and incredibly complex without a lot of work with *nix desktops.
It seems people here confuse AD policy lockdown with security, security is just one small part of it and if that is what you focus on YOU FAIL.
A wrapper around perl is one obvious approach.
In Linux/UNIX I just move the machine where I need it and turn it on.
NFS servers will be there (findable using DNS), user information will be in a directory service (NIS/NIS+/LDAP) authentication will be in kerberos.
Machine is turned on in new location, get its IP and name from a DHCP server and of you go.
What is exactly the problem???
IANAL but write like a drunk one.
There's no such thing as free software, I'm sorry.
Perhaps some would consider it a small detail, but I think it's noteworthy:
"Free software" does not mean it doesn't cost any money, it means it's unrestricted. As RMS has typed (probably millions of times) before: "Think 'free speech' not 'free beer'" Free software is free because, unlike proprietary software, you have the right to distribute it, modify it, copy it ... You are free to do these things. With an proprietary product, you are not.
Mounting "noexec" makes execution harder but does not disable it. Any scripted language (perl, python, etc.) can still run, and from some, you can execute binaries as well (write a custom perl module that essentially duplicates the linker with dlopen() and you can run anything you want).
If security/absolute control is your goal, you'll need to look at something like SELinux. "noexec" is pretty much useless in a modern system, unless you also remove perl and python (which would mean goodbye yum, puppet, etc.).
Um, take away root access from everyone? Configure the machines to receive updates from a central repository that you control. Define configs there as you see fit.
User education is an oxymoron. Users are not educated and are somewhat uneducatable. They are hired for their skills at a certain position and not for their skills at running a computer. You will always find employees that know just enough to be dangerous. This is one of the 'fools can be fiendishly distructive' thinks.
And that stops users from downloading and running applications how?
There is a lot more to locking down desktops in enterprises than not giving users admin rights.
You say that like trying to neuter Windows will achieve anything. Unix benefits
from the fact that many applications don't need to be "installed". You can "just
run them". Infact, Windows apps that have been mutated to run more like Unix apps
are a big gaping 18-wheeler sized hole in these allegedly "enterprise ready" large
scale Windows deployments.
If you give the end users the ability to "do stuff", they will inevitably find some
way to offend some control freak. At a certainly level, you don't really want to
stop this since this is what PC's have always been for (getting stuff done despite
braindead centralized IT policies).
A Pirate and a Puritan look the same on a balance sheet.
Radmind may be your friend for this. I use a Radmind server on Linux machines to push software out to OS X clients. As long as your network has DNS You Can Believe In then you can control by hostname which machines get which software. Many Radmind admins like to use it to control configuration and even do major OS upgrades with it. I'm leery of that only use it to push out the things that live in Applications, their support frameworks in other directories, Internet plugins, and so-forth. I will use it to push out the odd thing or two that can be configured by text file on a Mac.
I can't see really needing it on machines that use RPM or DEB packages. That can be handled by a private repository and simple cron jobs.
This looks like its going to be a great app by the fedora folks for centrally controlling and managing machines and users.
http://freeipa.org/page/Main_Page
Summary from the page included below.
FreeIPA (so far) is an integrated solution combining
* Linux (currently Fedora)
* Fedora Directory Server
* MIT Kerberos
* NTP
* DNS
* Web and commandline provisioning and administration tools
Version 1 will focus on
* Allowing an administrator to quickly install, setup, and administer one or more IPA servers for centralized authentication and user identity management.
Version 2 will focus on
* Adding DNS and Certificate Authority to the IPA core
* Allowing an admin to join a machine to an IPA realm
* Providing kerberos principal and cert to the joined machine
* Providing service keytabs and service certificates to services
* Managing the keytabs and certificates once provided
* Plug-in architecture for IPA extensibility. freeRADIUS as a first plugin.
* IPA Client code for managing authentication, authorization, caching, connection
* Policy. Centrally managed sudoers/netgroups, SELinux role based access
* Audit. Centrally collected audit logs from IPA servers and from IPA clients
HP implemented LinuxCOE as part of their solution to this problem - probably driven by the same issues that OP has: http://linuxcoe.sourceforge.net/
I am not a systems admin, simply an end user but I have heard about Ubuntu's (pay-per-user) system management, group policy tool, Landscape. Now like I said, I don't know much about it but it is $150 per seat (I understand) but sounds to me to manage all the above stuff!
There is a free trial, so as you can test it and check it works for you. You get the advantage of using the (in my view) most widely community supported Linux distro which means great (recent) software. This is what I would start with (but I have never done it before and would be learning hard and fast).
like phosphorescent desert buttons singing one familiar song
don't think that kind of common sense is so common on here. lots of times i've seen zealots try put forward craptastic solutions like wine, rewriting the apps or using some flaky OSS project that doesn't fit the users needs.
If you mod me down, I will become more powerful than you can imagine....
How do you want to do it? Using telepathy?
ssh *is* the way to do it, this can easily be automated with some basic scripting skills.
IANAL but write like a drunk one.
One of the reasons Unix has all these mount points is so that various directories can be mounted remotely.
For example to control applications you can just have /usr be on a different partition which you control, not on their local machine at all. Or just /usr/etc. You can have files in /etc link off to files in say /usr/extrastuff/etc.
This is classically why /bin, /usr/bin, /usr/local/bin and /home/(username)/bin are 4 separate directories because they can be mounted 4 entirely different ways. You are trying to solve a problem Unixes don't have.
I am not being glib, but based on your question you lack a fundamental understanding of *nix computing environments and as such it is probably unwise of you to migrate. The basic premise in the *nix world divests the environment from the desktop hardware. The box on/under your desk is nothing more than an engine which will run anything you throw at it (within reason of course). The idea that your physical computer maintains anything in terms of your desktop environment, settings, policies, etc. is flawed. Just where this is maintained is entirely up to you and to the extent that you can, it should be centralized. While you'll get several opinions as to the most prudent way to accomplish this, none of them, if done properly, should in any way mimic a Windows AD environment. What Windows has in terms of AD, SMS/SCCM and the like is an artifact of a poorly designed network computing environment from the get-go. I speak from experience having the SMS/SCCM division of a very large entity (30K+ desktops and servers) under my organizational purview. Interestingly, the *nix platforms are left alone to be all but self-managed because the entire organization knows only how to manage Windows hosts. *nix (not part of my responsibility) seem to be an enigma to most. The nix sysadmins are happy to be misunderstood in this case as they are well aware that if management gets involved, they'll try to manage in the same way as Windows hosts.
"Good luck" locking down CmdrTaco's asshole or "Good luck" locking down the linux desktop?
to start i'm getting back in to the *nix game. i'm inpressed with the usabality with ubuntu possable m$ killer in the workplace if they can make something to drop in for exchange. as stated above you need to change gears and stop thinking as administration from a m$ mind set. I didn't catch if you were using m$ servers to be honest i would rather poke my out with a stick than try to figure out how to put Linux clients on to a native M$ network with AD doing what it does. i don't know much about Linux ldap software structure yet to give suggestions. if I was in you place I would find a consultant that was a hell of a programmer and knew ldap pretty well and have him work on some open src tool to fit your need.
What you are forgetting is that most companies, especially large companies ARE boring places staffed by a high percentage of mediocre people. Large organizations have a large amount of administrative overhead, and the vetting process is long, convoluted, and inefficient. It's just the nature of the beast.
1) IT staffed by control freaks? Well duh! It's the only way they can appear to be doing something and not getting their asses handed back to them if anything goes wrong...
2) Trust? How much do YOU trust people you know just barely well enough to remember their name? And anytime you get more than 5 people together, they start grouping up and taking sides. Disputes soon follow. Care to guess what it's like when there are 500?
3) Hiring standards? Have you seen who applies to Monster.com ads? As an employer, I can say the domain name is appropriate...
4) unrealistc expectations... It's often hard enough to simply establish expectations at all. 5) Morale? You want to talk about morale!?!? Large companies spend months rolling out big updates like using actual coffe in the coffe makers at their 2,000 store fronts, or on 6 month programs toget locations to clean their bathrooms. Wait until you spend a man-week working yer ass off because somebody didn't know what 'historic' meant, only to find you didn't need to do anything at all. Then see what your morale is like.
6) Unmotivated employees? Your average wage slave is motivated by a desire to do as little as possible and not get yelled at.
Go work at/for/with some large organizations sometime. You'll see why Dilbert is so popular - not because it's quirky and off-beat but because IT'S TRUE!
I have no problem with your religion until you decide it's reason to deprive others of the truth.
I am a teacher with a lab of about 20 workstations running Ubuntu 8.10.
I installed Webmin on the workstations and my computer and use the clustering features. I use likewise-open for AD authentication and Webmin for everything else.
You can create a policy template by configuring one workstation and copying the gconf.xml.mandatory to the administrators workstation. All you have to do then is use the cluster file copy in Webmin to push your xml file to your clustered workstations. It works for me anyway.
I also recommend Cluster SSH for some tasks that require a shell. CSSH works just like SSH but allows you to send a single command to every machine in the the group simultaneously.
Locking Down
Webmin
CSSH
load "$",8,1
The company or the employees?
Sorry but I have a responsibility to keep things working, that means no development primadona will install his little application without following a procedure that ensures it is safe for the business to do so.
Employees are there to use the resources as given, and of course they can make suggestions about what would make the environment better, but the infrastructure is not theirs to do as they please, they can go home and do whatever they want on their own machines ....
IANAL but write like a drunk one.
Ever. Period. Done.
I want to delete my account but Slashdot doesn't allow it.
What about locking down linux on the other ships in Starfleet?
I guess that maybe I read the headline incorrectly...
Be kind, for everyone you meet is fighting a difficult battle. - Plato
( don't ask me WHY people code this way, but... )
Years ago, I tried installing or upgrading something like OO.o,
and it WOULDN'T work.
Eventually, I remembered that I'd made all partitions except / /usr & /opt, noexec.
Changing /tmp to exec made that particular install possible.
I wrote to 'em about this, but the gist of it is that:
a) only an idiot would lock down their system that rigorously, and /tmp/shouldn-execute.bin", and it is run.
b) it's a false security, because there's some means of sidestepping it
( something like "exec
again, it's been years,
so I've no idea about the name of the calling thingy,
but I tried it then, and it "worked"...
I just tried "exec", remounting /tmp noexec,
and exec *didn't* work, so either
a) something changed in Linux's implementation of it,
in the last ?5? years ( hell, coulda been any time after '96!, though I don't think it was *that* long ago ), or
b) it isn't "exec", but is some other command, that I'm just failing to remember right, in my ollddd age )
The first caveat still holds, though, even if the second doesn't: some installs are broken by a noexec /tmp.
Cheers,
Wow, that's EXACTLY why I don't use linux! You just hit the nail on the head!
Using specific proxy server: control this via tables in a name service read at boot time and DNS pointing to the different proxy servers in your network.
Limit computers in lab to use X: use a firewall.
You can do all what you are describing but you will need to do some programming. Your scripts become the policy that governs how your network works, this is immensely more flexible and powerful than any solution constrained by what a closed source manufacturer decides to make available to you.
IANAL but write like a drunk one.
If I were the CIO of a large-deployment corporate environment like that, I'd use something like CFengine and SELinux (the Wikipedia page on Open Source Configuration Management Software is a good starting point), with the users living over secured NFS hosted by a robust server like a NetApp. No user information would be stored on the system, so it can be completely wiped. Users would only be able to write to /tmp, /var/tmp, and /dev/shm, and no applications can be installed outside of your home directory. On top of that, every weekend, the system could be completely overwritten with the new week's image.
Don't spend all your time trying to mimic AD ... there are merits more exclusive to X, for example. This includes things like running applications remotely to conserve on licenses. Unlike Windows, there isn't a long wait time the first time you log into a system for the first time (since all your data lives in NFS rather than in folders cached on the local system).
For network policies, lock down encrypted traffic (oh do I hate suggesting that) and use transparent proxies to control data. For unified login, AD is just a souped-up LDAP server ... you could actually use OpenLDAP.
The biggest thing to note is that you should not ask "how do I implement what I had in Windows" but rather "what should I implement to secure/harden the environment?" Windows has some requirements all its own. So does Linux (et al).
Use my userscript to add story images to Slashdot. There's no going back.
Many restrictions are there for a reason.
Certainly some restrictions may be bad decisions, but in no serious company you will have people doing whatever they want with the computing infrastructure of the company paying their salary.
IANAL but write like a drunk one.
But the poster is so vague that he is not going to get a good answer.
What exactly does he mean with "locking down" a machine for example?
IANAL but write like a drunk one.
Where I work, we use DeepFreeze by Faronics.
When a system is "frozen" you can install, modify, do anything -- but when it reboots, the entire system is restored to its pristine state.
It's available for Mac, Linux, Windows.
They have some whitepapers, I believe, on how it works.
With that, and Puppet and other tools, you may be able to accomplish what you need.
Windows Server 2008 :) Took decades, but it got there.
Re: sudo vi conf/file.conf
a) whoever set up that sudo should be fired. Look at rvim
b) anyone who would exploit such a whole should be fired
c) port forwarding wtf
Hire some good Linux admins. Preferably someone fired for violating a policy in the past, because he/she will know all the rules, where the fulcrum of those rules are, and how to lock them down and prevent their abuse.
Prepare to be hated though. No one likes going to school, er, I mean work, to sit in detention all day long.
Honestly, if you go to a client that is serious about security, you will be forced to comply with their security requirements and you will be forced to stick your self employed aloofness there where the sun does not shine, fill a time sheet and gracefully thank the company that is hiring you.
IANAL but write like a drunk one.
You're not ready for Linux on your desktop but you're ready to trust your data to an 0.version file system driver on Windows??? Anyway, how difficult is it to copy data from NTFS to a new filesystem should the need ever arise? Your focus is all wrong. The real issue is the applications. There are so many applications out there that are Windows only that don't have a viable non-Windows replacement that it's not funny. Where there is a drop in replacement it's usually not feature complete. THAT is a much bigger problem. If I moved OS now, it'd be a pain to transfer data to a new FS but its nothing I couldn't do. I couldn't replace many of my apps though.
These posts express my own personal views, not those of my employer
End-users are not responsible for bug-fixes.
Rule of Slashdot #0: You and people like you are not representative of the larger population. - A.C.
There are programs that did not foresee a situation and that can (and do) affect the infrastructure, most common are unintended denial of service attacks by programs trying to reinvent the wheel (supplanting services like email, or directory services with implementations of their own, or making unreasonable amount of requests from one of those services).
It is all great and good to believe that people will follow policies voluntarily, unfortunately experience shows this is nothing but wishful thinking, any responsible administrator *must* lock the computers while guiding users in the correct and secure way to approve new applications.
IANAL but write like a drunk one.
Correct me if I'm wrong, but isn't this what PolicyKit is all about?
Just to reiterate what has already been said by a bunch of other people; *nix was designed for remotely managed systems and untrusted users. Set the home partition and /tmp to noexec, don't give the user write perms anywhere else, script rsync over SSH to manage config updates, similar scripts with rsync/SSH for reassigning a machine to a different department, and make your own gold configs.
I think the reason the OP can't find the software package to do it is because there is no software package to do it, it's built in to DNA of the *nix. It is not a single unified application added on top of the OS like Windows, it is everywhere in the OS. Not that there's anything horribly wrong with Windows remote management - they've come a long way in a very short time. But *nix has been doing it since it was born - it is pervasive in the way the OS works.
It does, however, take some getting used to. It's not going to feel like Windows management. It's a pretty steep learning curve too. But it is fun to learn, and when the gestalt whacks you in the head and you suddenly get it you get this involuntary, "Oh Wow" like you've never felt before.
Beware, though - when that moment hits, all hope is lost. You'll be stuck with *nix for the rest of your life. Mac is still acceptable since it's built on *nix, but it just takes all the fun out of Windows. You'll fire up your Windows box to play a video game, and start to notice all the nice little system management tools that you don't have.
Stop-Prism.org: Opt Out of Surveillance
I think the point of the G...GP post was that you can't easily push this out remotely, and on Linux you have to write it, support it and debug it yourself, including all the niggly corner cases.
Frankly Windows has some cool Enterprise stuff that makes this easier.
It's worth noting that these policies aren't Microsoft deciding willy-nilly how you will use your computer. It's the Fortune 500+ companies, and their equivalents in Europe, Asia-Pac etc, who have requested this. They have very big wallets. They spend way more on MS than we do. And apparently some dorkwad once determined that allowing users to set their own desktop background wastes time and thus money, so they want to lock things down, protect themselves from lawsuits etc, and ensure they are paying people to work, not skive off typing long comments on /. ...
Ahem. As I was saying.
In these sorts of cases (desktop wallpaper, sound schemes), to me, the benefit is not time and money, it's the ability to avoid a lawsuit because Big Stu the ladies' man in the centre of the office decided to have some porno chick as his wallpaper and porno sounds for new emails et al. And the 30 women around him get offended and sue the company for letting him be a dickhead even though there's a clear policy in place.
This is why I like to be self employed. What? Am I going to fire myself for reading Slashdot during "core work hours"?
It's just too bad, that when a business gets to a certain size, they have to hire real people, and real people just suck.
Because they are both basically "ssh for loop" with a bit of extra scripting? "Go code it yourself" is not a business-viable replacement for your OU-tree and a bunch of preconfigured input boxes like "IE Home Page" and "Mapped Drives"...
That shit is only a couple of steps beyond: "WTF? You've got GCC! What more do you need for a * replacement?"
3laws: No freebies, no backsies, GTFO.
http://seclists.org/bugtraq/1999/Aug/0323.html
The problem with a Windows desktops is that even with GPO, and after enforcing Group Policies, you still don't have any way of enforcing policies. Think about if for a while. You can get around anything under Windows, and often it isn't necessary to try very hard.
At the other extreme, try installing a real multi-user operating system in a real multi-user environment. They are totally different paradigms. With Group Policies, you are trying to use a user mode shell with system access to enforce policies. Under Linux, policies can be enforced through the operating system, and the file system it implements. The O/S with the low-level implemented security will always be more secure.
The problem the poster is having, is that you fundamentally can't compare Group Policies with the full security infrastructure of a multi-user operating system. They are two different things. They don't work the same way, and the difference can't be papered over with a cool shell interface.
I use Windows right now instead of Linux because I don't feel Linux is ready for the desktop, but most of my partitions for "extra data" are formatted using the second extended filesystem (Linux's "base" stand file system) and read in Windows using ext2fsd because I don't want my data to be held hostage by Microsoft patents.
So, yes, I really want Linux to succeed.
Storing your most of your "extra data" in ext2? Wow, you're really sticking it to the man, aren't you?
(BTW thanks for spelling out what ext2 was for the rest of us, we may not have figured that one out...)
Guess what? noexec doesn't do jack shit on the majority of Linux systems, and does not prevent anybody from running a. You know why? /lib/ld-linux.so.2. (On x86_64, there's also /lib64/ld-linux-x86-64.so.2.)
This little file is in the ELF header of basically every single ELF-format Linux binary, under a field called INTERP (you can see this by dumping a binary with readelf). Yes, even though the executable is a binary, it calls an interpreter to handle all of the run-time module loading. By a really obnoxious design decision in Linux that laughs in the face of security, this library, despite its .so extension, is executable by design and by necessity on every single Linux system in the world. And by passing it the path to a program as its arguments, you can run any binary your little heart desires, whether the filesystem is mounted noexec or not. You can't possibly turn this behavior off unless you have a system with no dynamically linked binaries.
I don't see why this binary couldn't have added a check to see whether or not the program it's passed is mounted on a noexec filesystem, but to this day, it doesn't care.
It's also one of the reasons Solaris guys didn't take the idea of "Linux security" seriously for a very, very, very long time.
Not all is lost, though. SELinux can prevent the system from invoking this directly, outside the context of a freshly-executed process. It just relies on SELinux being properly set up on your systems.
This still doesn't completely fix the problem. On many (most?) systems, a user can still get around this by abusing LD_PRELOAD to preload a library with the same name and same symbols as one being loaded by some arbitrary program they're executing. Then, instead of compiling an executable binary, they're stuffing their code into a library instead and abusing the system's module loader to execute it. (This was the source of Oracle's SA10043 advisory, among others. It's the application's responsibility to validate LD_PRELOAD, especially where privilege escalation can occur.)
It's safest just to assume that if the user can run any arbitrary program the administrator put there, they can also run any arbitrary program the user put there.
If you're looking to make it impossible for people to install unsanctioned programs, you can mount the home directories noexec. That won't prevent things like shell scripts (bash myfile), but it will prevent people from installing binaries. If you have specific users that you trust, then you can give them a writable directory on an exec-capable mount, and (if it's not their entire home directory), symlink that directory into their home directory.
If that's not what you're talking about, then just what kind of lockdown do you require?
Free Software: Like love, it grows best when given away.
That's a good point, but the kind of huge organization you mention will have in-house IT people who can that anyway, and I still think the advantage of a FOSS platform outweighs the relatively lack of ready-to-go deployment facilities.
Any of the major repository systems can be set up in a custom configuration with client machines automatically sucking packages up from a central company repository. Redhat's up2date and satellite systems are especially geared toward this kind of deployment.
If I'm understanding this correctly, you get application installation automation for free with your centralized repository, perhaps automated with cfengine, puppet, or even ssh-in-a-loop.
This is hard, and I'll admit Windows has an edge here, though personally, I feel like that's a little bit about North Korea having an edge in oppression compared to the US; it's not necessarily something desirable.
That said, if you must do something like this, there are ways. Other comments for this article address this point better than I do. For starters, there's kiosk mode "KDE's Kiosk Mode, allows a system administrator to configure all aspects of the desktop for an end user and optionally prevent the end user from making modifications to the provided setup."
Gnome also supports a lockdown system.
And as a last resort, you can always patch the software and distribute the patched version to all your machines.
Even though I've seen some gurus here offering up methods for configuring a desktop so users can't run applications, or install applications, it doesn't touch upon all of the things that Group Policy can do.
Please describe easy ways to do things like this in Linux:
1) Enforce a corporate wallpaper on remote Linux desktops that you can change on the fly in the future.
2) Prevent the user from changing or moving the desktop toolbar, moving icons, or mangling desktop applets
3) Enforce a password policy that asks for a new password every 6 months for one group of users in your environment, 12 months for a different group
4) Allow a list of "permitted" installable applications (and simply permitting an outside repository is not what I'm talking about, I'm talking about a custom list)
5) When a user logs in, install (or share to them) a family of user-specific printers to any computer they might log in to
6) When a user logs in, automatically hide the control panels, regardless of computer -- and when another user logs in with a less restricted policy, the control panels come back
7) At user login, map a network "home" directory to their desktop, put an icon on the desktop, and make it unmodifiable so they can't break it. Have the icon go away when another user logs in (and gets their own "nethome") In fact, fuck it, match the user against certain groups and depending on group membership dump up to 4 custom network location icons on their desktop that will follow them around and not break.
The odd part is you're acting like linux isn't inherently secure. While I will grant you, it isn't perfect out of the box, a small amount of configuration can make it very secure for your needs.
You're not dealing with Windows here, where it constantly needs to check in, in order to know what the hell is going on. I would recommend a secure setup of LDAP for account information (pick your openldap flavor, Fedora Directory Server works great here), and a kerberos server for passwords.
I would also like to point out the "commercial" Red Hat Satellite server, or the open/free Spacewalk server to manage all servers at once, like you can do with AD.
YOU'RE WINNER !
Another lame blog
You could use Parallel SSH for remote management. This works if all the machines are the same.
I've never seen anything on Linux that mimics Windows group policy. While you can do many of the same things, it's MUCH harder because the configuration isn't centralized nor is it easily changed.
Some of this was touched on by other posts here - namely that changing a computer's configuration is as simple as moving it to a different OU in AD (usually that translates to a department). For example, where I work we are a seasonal resort. People move quite frequently between departments and jobs and it's essential we can change their configuration without reloading their configuration.
So, firing up gpedit.msc, here's an example of some of the settings you can configure there - keep in mind there's probably THOUSANDS of settings:
Task Scheduler: Prevent Task Run or End
Internet Explorer: Security Zones: Do not allow users to add/delete sites
Internet Explorer: Disable changing proxy settings
Security Options: Interactive logon: Do not require CTRL-ALT-DEL
Security Options: Network security: Force logoff when logon hours expire
Disk quotas: Enforce disk quota limit
Disk quotas: Log event when quota warning level exceeded
Password policy: Password must meet complexity requirements
Devices: Allowed to format and eject removable media
So, sure, you can kind of do some of that stuff in Linux. But what happens when your boss' admin assistant suddenly goes to work in the marketing department and wants to take her laptop with her? Well, I spend about 30 seconds moving her computer to a different OU in AD and everything magically transitions over.
This scales really well across large organizations. For example, you probably want to give users in the corporate office more freedom than the kids in the call center. At the same time, you manage your computers as part of one large inventory, so you don't want to be bothered changing the configuration when you move a computer from office A to office B.
----- obSig
Check this Lockdown and User Profile Editor called Sabayon. It comes included with Gnome. For desktop usage it seems to be what you are looking for.
For serveer side, LDAP works on Linux as well as Windows.
The shills don't need to be specifically hired, just encouraged to have a (any) web forum, such as /., open to 'help' distribute the 'facts'.
this way they can do other stuff too.
Semi-automatic amateur armchair Australian philosopher; conjecture ready at any moment...
think. We know exactly what it's used for.
We also know that in 95% of deployments it can be bypassed trivially and only serves to piss off productive endusers. And in the other 5% of instances, a competent admin is present who can accomplish the exact same thing in Linux with just a bit more effort.
In short, it serves absolutely no purpose other than to give incompetent Windows admins a false sense of security and accomplishment, and Microsoft a legion of loyal bleating idiots willing to purchase their shoddy, overpriced software.
"I assumed blithely that there were no elves out there in the darkness"
All this talk about locking down Linux... While this is a great topic for /. people seem to have forgotten the most important point...
The average windows user couldn't tell the difference between a / and a \ ...
Just start every filename with a . and they'd really be lost!
Permissions are soooo Microsofty.
If a user has physical access to a machine, she owns it. I haven't seen anyone mention this amid talk of locking down systems. Let me elaborate: No root access? Boot to single user, reset root password. You own it. No root access and BIOS password? (varies by platform) Pull motherboard battery/modify amount of RAM (iBook, all Macs?)/remove jumper (most enterprisey Dells). Boot to single user, reset root password. You own it. If people have desktops, as in machines on their desks and in their offices well then they own these machines.
Guess what? noexec doesn't do jack shit on the majority of Linux systems, and does not prevent anybody from running a. You know why? /lib/ld-linux.so.2. (On x86_64, there's also /lib64/ld-linux-x86-64.so.2.)
Oh really? Seeing how mmap(2) requires the PROT_EXEC flag to make segments executable in the MMU, and checks those flags against the mode of the i-node, I found that hard to believe, and have it a try. These are the results:
These problems were mostly solved long before there was a Windows. Expecting a recommendation of how to do it the Windows way instead of the right way is perhaps more of a venue choice error than anything else.
Help stamp out iliturcy.
Thanks for being intelligent and providing useful answers. Already I have learned about cfengine, bcfg2 and FreeIPA today - all of which look like bridging these gaps. Not that I want them to, really, since effectively Microsoft pays my salary ;-)
Fair enough. For me, the single most useful Windows administration tool is cygwin. :-)
To those of you offering technical solutions: stop. You're wasting your energy.
Any time you see "policy" or "auditing," turn off your brain and channel your inner Bill Lumbergh. These tools are all about generating pretty graphs showing how many computers were checked and had the "IT policy enforced and audited." SOX, PCI/DSS, and other auditors get their jollies seeing reports like this. As long as the software generating the report is a name they know (and, preferably, expensive -- because, you see, expensive means it's good), they'll check that box on their report without so much as a second thought, making your C*O happy.
For all the auditors know, this software could be doing nothing other than generating (fake) reports. For them, it doesn't matter; as long as the other auditors are doing it, it's a "best practice" and their butts are covered.
systemimager can be used to clone lots of machines and they can be configured to reinstall daily
http://wiki.systemimager.org/index.php/Main_Page
Religion is poison to rationality, and we lose sight of that at our own peril. -- Lurker2288
You're even more IT cynical than I am!
"Common sense will be the death of us all"
is it in the manual?
I'm just curious -- Centrify claims to offer Windows group policy management for Unix, Linux, and Mac OS X. Aside from the cost, was there some reason why that wasn't going to cut it for you? Cuz I kinda doubt you'll find a cheaper solution that's more mature...
Breakfast served all day!
The period: 1990 - 1995.
Users loved the free-to-do-what-we-feel-like PCs, versus the locked down UNIX clients and mainframe terminals.
I was still young. And many (including yours truly) felt the older crowd didn't get the need for freedom over the desktop (as experienced by a user).
15 years or so later, the cycle is complete.
Or at least I think the cycle should be complete -- I am wondering why there are so few, who don't agree that the "lack" of lockdown capability is a problem in the first place.
Just like in those days, the companies that love locked-down environments will stay the tried-n-true, while the rest revel in the freedom. Let the users bring in tools that makes them more collaborative and productive.
FOSS does not get stronger by avoiding malware & viruses - it gets stronger cuz it tackles hackers and viruses head-on.
How about, just for a change, we get an answer from somebody who knows what AD does, and how this would be achieved in Linux?
There I fixed it for you.
You got to stop thinking the One Microsoft Way.
With Linux/Unix systems, you mount /home and /usr with NFS and mount /home noexec, then you need only administer ONE machine - the server. For authentication use NIS.
On the odd occasion that you really have to access all machines, you use Parallel SSH.
La Voila!
Excuse me, but please get off my Pennisetum Clandestinum, eh!
How about this for a policy: The moment Big Stu puts offensive wallpaper and porno sounds on his PC, he gets canned. Chances are that his wallpaper and sounds are just symptoms of a poor judgment disease your company doesn't need. I don't want the thing preventing Big Stu from being an asshole to be the permissions on his PC, I want the thing preventing Big Stu from being an asshole to be Big Stu's good judgment.
Where I work, my employer has made it quite clear that there will be no toleration of offensive materials on our PCs, or hanging from our office walls. They don't lock down the setting of the desktop wallpaper, and they don't make the cubicle walls out of anti-graffiti materials to prevent us from hanging stuff on them, either. Maybe it's because they're treated with respect, but the employees seem to know how to behave professionally - or maybe they've just tossed out the idiots before I got a chance to meet them.
You can just log into any computer and you have your own desktop with your own apps. Doesn't matter where you are. The environment follows your login.
Like Sun did.... 15 years ago....
The above is not worth reading.
I don't know much about it (other than reading about it on their web site) but Mandriva has an Enterprise desktop management system for both Windows and Linux desktops called Pulse2:
http://www.mandriva.com/enterprise/en/en/products/overview
I'm a long time Mandriva user on desktops, laptop, and servers, but all in a small business or personal environment, and it works well for me... I don't claim to know anything about Enterprise.
Here you go: http://tldp.org/HOWTO/NFS-Root-Client-mini-HOWTO/index.html http://tldp.org/HOWTO/NIS-HOWTO/index.html Now you only need to administer the server and need not worry about the clients, but if you do manage to get the clients screwed up, use Parallel SSH: http://www.theether.org/pssh/
Excuse me, but please get off my Pennisetum Clandestinum, eh!
The only supported product in Windows XP's family is named "Windows XP SP3" and was released less than 1 year ago.
Redhat and Ubuntu will update your system to the latest version (think Vista in MS land) for the same price of the SP3 update to a legacy OS. (The price is "free", btw).
Regards,
Tell me if I'm off base, but doesn't Novell work on Linux as it does on Windows?
Just to clarify for those that aren't familiar with RHEL...
I think parent meant a kickstart file, not quickstart.
And yes, kickstarts are freakin' awesome. I can pump out a new server image in under ten minutes with nothing more than an updated (via rsync) RPM tree and a web server. I just wish the kickstart cfgs would allow you to set the hostname in the network settings. Then I wouldn't even have to do 'setup' on first boot.
If I mod you up, it doesn't necessarily mean I agree with what you've said, sorry.
The point was that you can have the policy, and police it rigorously, but the first time the insulted see it before the manager, you're going to get screwed anyway. Why not take away the opportunity in the first place?
The problem with the "Microsoft mentality" is that Microsoft's Group Policy allows for a number of things, related to both lockdown and configuration, and it really confuses the issues. Sometimes it is important not to give people what they *want*, but what they *need*.
As others have said, you can manage network configurations with NFS, CFEngine, Puppet, and SSH. You can also configure thin client architectures. However, despite how much you think you *want* it, what you do not *need* is to lock down machines.
There are certain situations where locking down machines makes practical sense. Kiosks, for instance, or for that receptionist that keeps dropping her desktop icons in the recycle bin. However, "lock down" should NOT be a security mechanism. It is not, cannot, will not, and should not ever be a security mechanism in any environment, including Microsoft Windows. If you think that "lock down" is a security mechanism, read some RFCs, read some books, man pages, and take classes. If you can't do that, or you do that and disagree, change your career.
You might think my attitude is harsh, but I'm tired of this stale way of thinking. Client systems are increasingly dynamic and flexible, and are so by their very nature. You could spend thousands or even millions deploying SELinux, content filters, Radius, 802.1X, configuring BIOS passwords, upgrading to systems with TPM chips, and so forth, only to lose the battle to a can of compressed air or a user that installs a web-based VNC Viewer on a webpage somewhere. Sure, lock down flash and java applets too, just wait until HTML5 and the canvas tag! You're going to block that too? That will work, maybe, for the first couple years, until it is so ubiquitous that you can't reasonably block it.
My point is, you cannot stop client systems. It is a lost cause. What you can do is secure your network, secure the physical environment, and provide network configuration. If you want to provide network configuration, do so to assure that systems are configured with reasonable defaults as not to make the jobs of the employees more difficult, but to make their jobs easier. The only thing accomplished by overly restrictive "lock down" mechanisms is the waste of company money. Wasted hours on configuration, wasted hours by the employees in circumvention, and wasted money on the additional employees you'll need to make up the loss in productivity.
Again, if you missed it, the only reason you, as a Systems Administrator, want to touch a client system, is to make the system more convenient for your users and enable them to perform their tasks better. That only includes "lock down" when the alternative is an inconvenience, like the receptionist that can't keep his icons in the right place. If you need security, that should always be done on the server, on the network, and physically.
I think GP meant to say something like "There is no software with a TCO of $0".
You're letting everyone run with root access, aren't you?
Admit it --- the reason they can do anything they want to the machine is because you're too clueless to actually administer a multi-user secure O/S, and you just cloned the Windows situation where every so-called unprivileged ordinary User is actually just an Administrator with certain corporate-mandated privileges revoked.
Because in the effed-up Microsoft world, even a User with limited privileges can totally hose a system by opening an email in Outlook or clicking on the wrong link in IE, you think you need to still enforce ineffectual but "Enterprise-Wide" restrictions. These "security policies" that let the network admins claim they were following good security practices while letting the malware-infested bloated risk that is Windows claim the desktop are just so much idiocy. Porting them over to the Linux desktop world reveals a level of cluelessness that screams "luser".
Have you had a look at ZENworks Linux Management ? http://www.novell.com/products/zenworks/linuxmanagement/ From what I've heard, this provides GPO-type management of SUSE desktops ... maybe Red Hat too ?!?! Also does image management / build management AutoYaST and KickStart, Remote Management (Secure VNC by the looks) and package deployment (with dependency resolution)
noexec doesn't prevent: perl ./some_script_here
The point is, you can lock machines down reasonably well just by not giving out the root password. Sure, a user can mess up her home directory, but she can't damage system directories.
I don't recall group policy offering the ability to block 'cscript c:\documen...ings\dork user\desktop\myshittyscript.vbs'
There's no place like
And this I think is the answer to the "Ask Slashdot". As has already been pointed out, you can't really expect Linux to be like Windows. They are two different philosophies. In a properly maintained system you can destroy your /home but not mine. Security and policy enough for me.
I'm not sure I agree with the enforcement idea, at least in the sense it is implemented by Microsoft. I am in the happy position of being the UNIX manager for a R&D company, and the reason I am happy is that I am totally independent of the MS management team. Do get me wrong - they are not bad people, but every day I see the Windows users start their desktops up and hear them groan under the load of stuff pushed out by the domain servers. I mean, you can't tell me that is the right way to do things.
I think the basic philosophy for IT administration has to build on the principles of trust and the wish to serve. Too many administrators think that it is all about ruling a little empire; it isn't, it is about Serving the Community, making sure that everybody can get their job done. As for the trust part: why would a company employ people they don't trust? That doesn't make sense, to my mind.
The way I do it is, I give as much power to my UNIX users as possible. Example: we do a lot of database work - I think we have about 150 Oracle instances, different versions, different OSes etc; they all have the same administrator password, and all developers can start, stop and in principle destroy and create database instances. I am just the guy that keeps a tab on it all, I know where they all are, I regulate the use of resources, and in practise I am the person they turn to when they need something special. And it works well - people respect each other, they ask the others whether it is OK to do things etc.
Of course there are things I don't give away - only I know the root passwords to the servers, for example. But mutual trust really does work. So how do I adminstrate ~50 servers, ~150 Oracles, ~100 DB2s etc? The secret is called "ssh" - all administration in UNIX can be done from the commandline, and ssh can run scripts on remote machines. But there is another tool that I am looking into and will probably begin to use: STAF, which is really a SW test harness, but it can do so much more than that - go and look it up if you're interested.
If I were to administrate a network of desktop linuxes, I would probably produce some guidelines for what they can and can't do on their machines. They would themselves be responsible for the daily adminstration; I wouldn't hold the root password. When they screw up things, I would come and rescue their machines in a fairly basic way - more or less bring them back to the company baseline, really. I would put all the information about how to repair the system and the different non-standard configurations into a Wiki of some sort (TWiki is the one I prefer).
I am convinced it would work well; my experience so far on bigger systems is that people in general just want to do their job as well as possible. The ones that want to do more, who experiment and change their environment will enrich the company's knowledge base, but most people just want to know that their toolbox works.
Instead of spending $$$ on bondage and discipline, how about treating your users like adult human beings?
THIS is why those tools don't exist. Because every time you ask, some self-righteous idealist responds like this. Unfortunately, those self-righteous idealists are often also the really good programmers who have the ability to create such tools.
No it isn't. If someone really wanted these tools, they would pay to create them, and programmers are just like any other set of human beings: you pay them enough, and they'll do what you want them to do.
The Self-Righteous Idealists are the people who like to keep their right to actually use their computers, and thusly introduce a counterargument to the corporate lock-everything-down policies, a voice of reason that companies need awareness of. Companies like Microsoft who only exist to service other companies will gladly do whatever you pay them to, as those companies have no problem finding the right people to code up things (as stated above).
On the other hand, Open Source companies, and their far-and-few-between developers, generally have principals and are individual thinkers and are less likely to yield to corporate will in such a way Microsoft and its B2B partners are used to. And that's why such tools don't exist.
But I hear Novell has no problems with such moves, so if you really, really want to do it...
Some(?) of the things you are suggestions can be done with SELinux (yeah, I know how you feel).
morcego
It's really not clear what restrictions you want to enforce. If whatever you are trying to do can be expressed by pam, groups, users, permissions and the normal unix ways of doing things then you are already most of the way there. You only need something like LDAP, NIS, or a flat file distribution system to tie it all together.
If you are trying to enforce arbitrary security rules your requirements are unpredictable so I can't give you specific advice.
Most of slashdot will likely not get the fact that corporate security rules are often written in a closed room by people who don't really understand unix. They exist for compliance not true security.
Let me try and predict this one: "[Problem they've randomly had in the last two years and didn't bother to research or bugfix] is the biggest issue in desktop Linux. The developers have lost touch because, for example, [anecdote that offers no valuable bug-ridding information, or even enough to replicate it], showing that [Problem] is still a big of a problem as it was four years ago. I've seen [however instances they've seen it, plus four] instances of this issue in my computer but also in other's, and it refuses to be fixed because Linux is simply put, not user-friendly or stable in the least bit. It's things like these that make me draw the conclusion that Linux is simply not ready for the desktop."
Did you get that template right off microsoft's website? You even forgot to fill in the square bracket bits.
It does if you don't give them exec priveleges on perl. Or anything under their home dir....
Of course you would have to do the same with python, bash, tcsh, awk, etc as well. That somewhat breaks the utility of the system.
There are ways.
There are many ways if you don't know what you are talking about.
I'll come out in the open first and say that I'm a long term windows admin, I've spent that last 8 years running windows networks, and 5 years before that building, configuring and troubleshooting windows PC's.
Managing a windows network is second nature to me, but until today I didn't think that half the things I can do in windows was even possible with Linux.
Now I know some of it can be done, I'm wondering just how much of this is ready now. Googling has never turned up anything before, but it's now looking like it's a terminology problem as much as anything else - without knowing the Linux tech, I didn't know what to search for to find my answers.
So, with that said, can anybody tell me if there's a Linux equivalent for:
**WSUS server**
I can download patches from Microsoft for 90% of our software, can test those patches on a small set of machines, and roll them out at will to our entire organization, with reports telling me of any problem machines. I appreciate I can run my own repository, but I want to enforce the installation of updates, I don't want users choosing to install them, is this possible?
**Group Policy Software Deployment**
Rolling out new software is just a case of adding a new group policy object and asking users to reboot. Software is deployed based on the department the machine is assigned to in Active Directory. Is there any simple way to install new software, or software updates to Linux machines? Also, removing software is just a case of removing the policy, is there any equivalent to that?
**Securing the Web Browser**
I'm probably going to get shot for saying this, but right now, Internet Explorer is more secure than Firefox for us. Using Group Policy we've enforced security zones, so IT get to say which sites can and can't run scripts, and users have no way of changing that. We've looked into Firefox, but on windows there's no way to centrally manage or update it, nor is there any way to enforce which add-ons are installed. So we could roll out firefox with NoScript, but unless we can stop users removing NoScript we're stuck. NoScript does have corporate configuration options, it's Firefox we're stuck with.
**Roaming Home Folders**
It sounds like this is possible, but can anybody point me to a basic guide as to how to do this. Also, how big do these get? In Windows you can configure Roaming Profiles which get copied to the client computer at logon, but can also direct things like application settings and users home folders to a central server, so the profile itself is never too large. Can I do something similar with Linux?
**Offline access for laptops**
We use Offline Folders so windows always keeps a cached copy of documents users open, as well as everything on their desktop, or in their document folders. Is there any equivalent of this for Linux?
**Preventing access to Executables**
In Windows, we block executables at the firewall, email server, and on the desktop, but it's still pretty easy for users to get around this. It sounds like removing the execute flag on linux desktops is a much better approach, but I can't find a simple guide as to how to configure this. Can anybody point me at some documentation for this, so I can configure it without worrying about missing something vital?
**Remote Support**
In Windows, we use Dameware Mini Remote Control to get remote access to any users desktop quickly and easily. I know we can use VNC, but it's always seemed slow and clunky. What are the best options for remote support of Linux desktops?
**Central Installations**
I hear all this talk of configuring a standard linux desktop and rolling it out. How exactly is this done? In Windows you just run a RIS (or now WDS) server, and roll out desktops with all the patches, drivers, etc that you need.
**Partitioning**
Linux partitions confuse the hell out of me. Do you really need separate partitions for all these things?
**Screen Saver policies**
We enforce locked screensaver
It's not just about "locking down" the desktop; this is quite easy in just about any OS, the real issue here is top-to-bottom manageability.
So yes, specific security requirements is part of that.
Now say for example you want to push out the new OpenOffice to all of accounts department only...and assuming no deployment problems, sales, and R&D too.
Next, patching. Show me all machines that haven't patched $NameOfPatchHere you deployed to the company a few weeks after it was made available to the world (giving enough testing time to be sure there's no reports of anything breaking online first).
Next, branding. The company changes name; merges with another. You want all reference of $COMPANY_X changed to $COMPANY_Y; screensavers, wallpapers, etc, etc. Rebuilding each machine image isn't an option.
Next; security. You want to open an incoming port on every local firewall for a new teleconferencing system...but only for R&D. By default all non MS-AD ports are sealed off.
Windows AD does all of this in about 2 clicks per above need. Doesn't matter if you have 5 clients of 5000.
throw new NoSignatureException();
CANONICAL Ubuntu
sells a product for Ubuntu called LANDSCAPE
A PAID Solution With support is the way to go
http://www.canonical.com/projects/landscape
Together with puppet one really needs to look into Kiosk. This allows you to lock down the configuration of KDE applications, and it's *one* of the reasons KDE is used in enterprise deployments instead of GNOME.
The best way to accelerate a windows server is by 9.81 m/s2
If you're using NFS /home and GNOME, changing configuration for all users simply becomes a matter of using gconftool, eh?
Put identity in the browser.
More Microsoft indirect PR masquerading as a question. From kdawson as usual.
The idea is for the reader to ask the same question and then to realise that MS has an answer where Linux doesn't, and for that thought to linger in the minds of the opponents to MS.
FWIW I wouldn't object if the article came out straight to claim an advantage for Microsoft. That way we could debate the pros and cons of the claim and all of us would benefit.
If cost is your major factor, and TFS suggests that it is, then stay on Windows. Linux may cost less, but it is different. Linux is great for people who want something different from Windows (like security) but if you are only looking at cost, then Windows will be less trouble for you. Linux is _different_ than Windows and if that's not what you are looking for then you will not like different.
Basically, what Op means are following points, with my current knowledge of Linux:
(I am just linux enthusiast and i do use linux as my desktop at home and at work, so if i made any mistake please correct me)
1) Central User Management with login (just like one within AD)
- There are services for Linux/Unix OS that allow you to log on centrally, but i did not hear of possibility of cached login(just like AD login in Windows environment)
2) Central administration of file and folder shares
- In Linux, this can be done on server level and shares can be automatically mounted on client machines, but this brings big overhead in scripts and modifications on local machines
3) Central fileaccess and application control for both shares and local harddrives
- even if there is any application installed on client pc, does not mean that everyone is allowed to use it. I don't know if there is the way to controll that
4) Central printer sharing and configuration with (almost automatic printer installation on local machines)
- Not everyone can use everyy printer, e.g. users printing their private stuff on companies color laser.
- Also, you install printer in windows, and your printer server sends you particular driver if you don't have appropriate.
- How can that be solved on linux... don't ask me.
5) Central Login services
- in full and properly configured windows environment, user does not need to enter extra credentials to access intranet or any shares, these resources know if they are allowed to be accessed by particular user.
6) Patch management for servers and clients
- This is easy one.
- Create your own mirror of official repository, where you only download stuff which is allowed on your networkm, and use it for passing updates to software on your local machines.
- This is not as easy as WSUS Server, you have to manually track all changes and you have to copy each and every package which you need on local machine(s).
- Sounds error prone, doesn't it?
7) Network/Internet access
- This is easy one, because you just have to configure transparent proxy and you can regulate your trafic through it.
- Buuuut, you have to go to separate machine and configure it there. No central management of your proxy boxes.
- Question, how do you controll that guy in warehouse, does not surf internet all the day, instead of working? This function needs fine granulated access list management, preferably on central location.
These are only few things, that i could pull out of head right now. I know, there are solutions for each and every one, and some are easy, while other are complex, but these are all independent from each other. We need a central management console for whole environment. And i'm not talking about little companies, with 5 servers and 50 clients. I'm talking about enterprise solutions, about networks with multiple locations, every having hundreds of servers and thousdands of clients.
Is AD good? Not really, but it almost satisfies what people need, and people use AD because there is no other solution. My best example is bigest crap of software that exists on this planet, Exchange 2007. But companies will deply it, because there is no better solution for thier and companies needs. "A mail/calender/tasks/communication (exchange) server with local application (outlook) where people can set their "out of office" message easily." That was exactly the decision why my ex company got exchange. anyway. let me stop ranting.
Bye,
Alex
Dunno if this would work, but the idea is neat: Policies for running programs can be controlled via the sudoers file, using groups. Once on LDAP, the group memberships can be controlled via the central LDAP server. You could even create a cron job to check/update the sudoers file. You could take it a step further and write a global login script to lock down all aspects of a system, and have it unlock and lock services/devices based on group membership in LDAP.
"I use Windows right now instead of Linux because I don't feel Linux is ready for the desktop"
and
"So, yes, I really want Linux to succeed"
Oh purleeese! You want Linux to succeed the same way that urban four wheel drive owners want to save the planet. The idea appeals to you; you just can't pull your head out of... never mind.
I've been using Linux exclusively for the past 10 years both privately and professionally for a variety of companies large and small. It's ready for the desktop now, and has been for years.
It isn't perfect. Nor is Windows. Of the two I would prefer Linux. Your preference is obviously Windows. You're not kidding anyone.
and boot them over the LAN
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
Who said anything about Microsoft? The name "M$" is clearly a regular expression, so he's running something which ends in "M".
I'm guessing it's tfo$orciM.
You don't want remote deployment; that's an MS-concoction invented to make your life slightly less difficult. Think outside the box. Simply go with read-only boot media. Doesn't have to be a CD (but it's handy): then get everything (from apps, to privileges, to filesystem-space) from your network. New release means new CD. Superfast, superflexible. Your workstations can be simple and cheap Asus boxen; the real investment comes from having a good network and good central service machines.
Religion is what happens when nature strikes and groupthink goes wrong.
OCS ( http://www.ocsinventory-ng.org/ ) for inventory and glpi ( http://glpi-project.org/?lang=en ) for management are often used in France to manage Linux desktops.
~$ python myprogram.py
A sufficiently clever user could use an interpreter to write his own dynamic linker and thereby run binaries too.
And you can compile C to MIPS code with GCC, and then run the MIPS code in Java using NestedVM.
Or you could convert everything to a bash script ;)
From what I can tell this guy is looking for a combination of 2 things. A replacement to AD/Group Policy for Linux, and something that works in much teh same way as SCCM (SMS) for package deployment and management, as well as reporting etc.
You CAN do all o this in Linux im sure, if you have the time to trawl the internet for hours on end looking for something that someone in the know could have told you in seconds. But also, it can't be hard to manage, there needs to be a decent GUI and it has to be scalable.
Also, saying "We have had LDAP support for AAAAGGEESSS" doesn't cover what can be achieved in windows with group policy. The ability to assign local accounts admin rights on specific machines, or give people in cirtain groups access to specific registry keys, run login scripts on some machines but not others, etc. Of COURSE all this is possible with Linux, but saying "Oh yea we can do that EASY" isn't what he was asking. He was asking HOW.
Stop being so guarded and elitist and give the man answers he can actually use.
I know a lot of apps don't support it, but how useful is PolicyKit?
The ability to [...] without having to ssh into each and every machine on the network.
How do you do it on windows without the central machine have to talk to each and every machine on the network?
Why do you want the machines to "talk together, but not in this particular way"?
It seems like you want to see the solution to an artificially constrained problem. Why the artificial constraints?
Marketing wants a new desktop background [...] it's a company machine. Do you expect to repaint the company walls sky blue because you don't like puce? [...] And apparently some dorkwad once determined that allowing users to set their own desktop background wastes time and thus money
I'm glad you call him a dorkwad.
Let's see. The analogy is flawed: by painting the walls, you force your choice upon everyone else. By setting the desktop wallpaper on your machine, you're not. By having the company set the wallpaper, it forces a choice upon you.
When it's merely a matter of personal taste, why do you want to dictate to people what they should choose? My gut suspicion is that by exercising control over people you demotivate them, and lose much more money than you would have lost in the minutes they'd spend changing their wallpaper.
As someone said, "It's supposed to be fun, dammit!"
This might be one of those situations where you're "asking the wrong question" because of cultural assumptions that differ between the Windows and *NIX worlds.
Can you give an example of the sorts of settings you need to enforce / behaviour you need to restrict? Coming it at it from that slightly different angle might get you some more helpful responses ;-)
If someone REALLY tries to bypass your security, they'll get past.
Rather like the locked door. Knock the door down and the strength of the lock is irrelevant.
What you CAN'T do is say "Oh, I didn't know I wasn't allowed".
The problem clearly lays with the poster, and also in the majority of the people who are replying to the poster.
There is clear solutions being provided but they are being obscured by a vocal minority screaming in everybody's ears.
Puppet, Fedora Directory, LDAP, eDirectory, LUM, SSH, NX, BASH, SLED (or OpenSUSE, Fedora, Ubuntu...), KDE 4.2+ (YES! KDE ACTUALLY HAS MADE FIXES SINCE 4.0! HAVE YOU LOOKED RECENTLY!!!)
The poster is far to afraid of researching, and possibly having to learn something new. At the very least look into Novell's offerings more if you need something "supported".
If you don't want to put in the work (you can be lazier afterward!) then get the hell out of IT.
Lets examine the threats here:
Viruses? Hardly any.
Rampant piracy? Of open source? haha. Of movies? Block bit torrent
People opening up ports on their desktops to the world? Get a firewall.
People h@x0ring root? Tripwire+logging.
Dissemination of company secrets? Was always a threat. Force everyone through a proxy.
Anything else?
I wrote my first program at the age of six, and I still can't work out how this website works.
cssh is great for a handful of computers, but for the 40,000 boxen, try cfengine
in there already bearing in mind how abundant linux is in universities & colleges and how responsible most students are (And yes I was the 1st in my class to figure out how to crash the network oooh how clever I thought I was). Hope you find something though
Build a Man a Fire, and He'll Be Warm for a Day. Set a Man on Fire, and He'll Be Warm for the Rest of His Life.
Wine is great, when it works. I wouldn't call it craptastic, it made it possible for me to migrate to Linux here at work because the dev ticket tracking system could be made to run. And there are many non-flaky FOSS solutions...
But in general, yes, if you've got something tied to a platform then it makes sense to keep it, especially if it's customised/bespoke/niche.
I think Zivios http://www.zivios.org/ aims to solve this problem
You can then add to the apache httpd.conf.
Or, if you're sooo scared of people pissing in your IT infrastructure, don't use the root httpd.conf, have them use their own per-virtual-site httpd.conf and writable by them alone.
As to the "oh, you have to give sudo" NO YOU DON'T.
If you're sufficiently paranoid, use LIDS. Lock root down to fuck all, and give administrator access to what needs doing.
E.g. root cannot bind to a port, but http user can as long as it's 80 443, etc.
And so on.
"Of course you would have to do the same with python, bash, tcsh, awk, etc as well. That somewhat breaks the utility of the system."
It somewhat breaks the utility of the system *if you're a geek*. (like me).
If you're deploying these to people that need to use OO.o and a couple of other GUI apps, as general office workers do, then it doesn't break anything. It's like saying "lock down vbscript/shell/c#" on windows. Most folks wouldn't know or care about that.
Of course, when you've reduced it to just a machine that runs a word processor and a browser, plus has storage space, then it doesn't matter what OS you're running. Which may or may not be the point...
Sheesh. Just because Windows has a GUI (that you have to relearn) doesn't mean you have to have a GUI.
And all this information isn't saved in a multitude of places, it can be stored as a set of scripts to do the work in one place. Or one directory. Hell, have a look at how SysV init scripts work. Your policy could be set up like that:
scripts based on domain, run all scripts in the domain to set the policies. scripts based on domain are links to the central repositories that cannot be seen by users.
Does anyone make a distro that is designed to forensically one's own network from outside
Did you accidentally the verb?
Seriously, why not look at ltsp? A different approach, maybe, but it ensures that all workstations are singing from the same sheet.
puppet + custom RPM repository >>> windows
I'm not sure what you're trying to say, though.
please. for the love of God. why would you want Linux to do something that Microsoft does? If you're looking for a Microsoft "alternative" simply don't use Linux. I don't understand why anybody would even bother trying to switch hundreds of computers on a network from Windows to Linux in addition to their entire domain controller??? WTF ARE YOU THINKING??? Do you WANT your company to hate you forever? This article seems to be written by someone who simply wants to point out the things a Windows AD can do that Linux can't.. We're not comparing apples to apples here.. These are two totally different operating systems that serve two totally different purposes.. If I want a Linux network then I'm going to sit down and make custom scripts, cronjobs, NFS, LDAP, maybe even LTSP or NX. If I wanted point and click pussy whipped corporate policies with pretty audit graphs to show employee efficiency then I'd use Windows. So if you're an employer is who incredibly paranoid about every minute of their employee's work day to be billable time, then use Windows. If you want to be happy at work and you boss isn't a dick, then use Linux.
*plays the Apogee theme song music*
You know what, if one of my lusers manages to write python scripts to play solitaire, I'll tell you what, I'll hire them right away in the sysadmin team.
Redhat and Ubuntu will update your system to the latest version (think Vista in MS land) for the same price of the SP3 update to a legacy OS. (The price is "free", btw).
Depending on the support contract, RedHat costs you anything from US$500 to US$thousands per year for updates. That's a long way from "free".
Use ZLM from Novell. You'll need to use openSUSE as this is mainly used for rpm distributions. We use SLED but with our discounts amount to $50 a desktop. The ZLM client is like $30, really cheap and allows you to enforce policies and deploy software and security patches from a single console.
The answer seems obvious to me, you should go back to paperwork.
tyoup.
...do the 're-image' thing in order to periodically ensure that the machines are clean.
Users keep their data on the network, and the machine get's 'updated' every week or so. Coincidentally (heavy sarcasm here please) everything on the machine gets wiped and set to a known state when the . Now, this is something that I know a VERY large company does in at least one large division, but it allows them to have both Windows and Linux boxes throughout the system. Their overhead though is in testing the new images (because they contain updates) against the myriad of machines they use.
Now, again, this is something a very large company currently does. Technically they don't re-image the entire drive either, but they do control the portion that can connect to the corporate network very closely. This requires a team of people in IT devoted to just this process, constantly; ergo, it is expensive.
Loading...
Why would any dev, who has to battle with corporate group policies to get his day job done, ever want to write software to do such a thing unless he was paid for it?
-- Programming with boost is like building a house with lego. It's a cool but I wouldn't want to live in it
Also a good idea for /tmp!
Seriously, first define whether you're locking down the OS itself to a standard configuration, or doing access control (or both).
Second, save yourself one hell of a lot of licensing costs by using CentOS, which admittedly parasites off of RedHat's server efforts but is in fact considerably easier to manage.
What else do you need?
Hire a senior UNIX/Linux admin. BTW, I've just updated my resume.
It's not been implemented that way as far as I know, but you can use SELinux to lock a user down as much as you want.
For example Fedora has an "xguest" package where a user type is created that can only do a limited set of things, such as browse the web. Can't even connect to local daemons (except those expressly approved) via the loopback interface. Can't create files but where it is specified. And so on and so forth.
Fedora XGuest is much better than anything you can find on Windows:
It might not do exactly what you want. No biggie, just create a custom policy to allow what you want, there are GUI tools to help with that.
What policies are you trying to enforce and on who? It would probably be easier to come up with ideas for you if we knew what policies you need to enforce.
Not giving out root would be a very good start. I ask who you are enforcing these policies on because some people have mentioned users asking for sudo permissions to edit some config file or another and then using it to get root access. If these are just typical office usres with office applications I can't imagine what valid reason anyone would ever come up with for that.
Locking down an Enterprise is simple:
First I would raise the shields. Then go to Red Alert. Once the crew is at battle readiness, I'd open a hailing frequency and see if we couldn't resolve any disputes through diplomacy.
My twitter
What's wrong with reading the source code, modifying it and recompiling?
In MANDRIVA Linux the root controls allow you to lock down all the INDIVIDUAL settings and aspects of desktop use. You could force everyone to have the same programs and not allow them to change the settings you choose or the programs you install. With one computer set up like this you could then make an install disk to clone that machine on all the others. I have used both SUSE and Ubuntu and they do not have this fine level of control in their settings managers.
what's this whole idea of locking employees desktops. Do companies provide chairs, tables, clothes, pens and paper that cannot be customized by employees???
Locking things down means you don't trust your employees.
My IT department wants me to remove Linux from my work laptop and use only windows. And the company products are 100% running on Linux. Go figure!
puppet/modules/nosolitaire/init.pp :
class nosolitaire {
package { "nosolitaire":
name => "solitaire",
ensure => absent,
}
}
What you are looking for is Sabayon:
http://projects.gnome.org/sabayon/
"Sabayon is a system administration tool to manage GNOME desktop settings. Sabayon provides a sane way to edit GConf defaults and GConf mandatory keys: the same way you edit your desktop. Sabayon launches profiles in an Xnest window. Any changes you make in the Xnest window are saved back to the profile file, which can then be applied to user's accounts."
You need to think about using the package manager.
You create your own repository, with software that you have modified to work like you want. Then you practically have your own distro that has the permissions you need as default. Make a live-cd for easy installation afterwards.
If you change your policies after that, just modify the software you have and update it trough the package manager.
Wouldn't it just work if you'd just mount the directories where those permissionfiles are from your server? As in, you'd not have those on the local machines but on the server. Isn't it just as easy as that?
Hi,
I have done some large deployments with the same challenges you mention. The software we have used is the Linux Management suite from Novell. Here is the direct URL : http://www.novell.com/products/zenworks/linuxmanagement/
It works well with Redhat and SuSe but does not support many other distributions. In fact as you would expect its by far the best integrated with SuSe however it works well with Redhat.
ssh+sh+brains oh! I forgot the all too important RTMF!
If your asking Slashdot and don't have a few really good ideas inhouse you might not be up to the task. I would start by talking to your UNIX systems guys that manage your UNIX servers. If you don't have UNIX guys in house there's no way a bunch of Windows desktop support guys are going to be able to Google their way through supporting and "locking down" Linux desktops.
And please do realize "whom" you are dealing with. Some users are smart enough to break the local admin passwords of Windows desktops and log in locally and bypass your Windows domain and security all together. The same is possible on Linux systems. All the "locking" you do can be easily bypassed by booting to Knoppix and editing the mounted filesystem.
My Suggestion would be to deploy Linux to your users with the least amount of hinderance possible. Provide them sudo and don't provide local root passwords. Stay out of their way as much as possible with your "lock down" so they don't get annoyed and break into their system in order to perform their job. While you might think you could "go after" them for "breaking into" their Linux system if they are able to present a valid business reason for doing so and show your inability to support them you will only be left with egg on your face and will be forced to hand over root passwords.
If your company is doing the standard draconian control tactics to annoy employees I would not bother with Linux at all.
How about "bash virus.txt"?
I'd like to see that "solved".
(It is far from trivial to make bash non-executable - you essentially need to make a "kiosk")
Oh f* ...
I meant "bash < virus.txt"
Sorry.
Maybe this is why Ubuntu is so popular now?
Well, one way to do this is to mount the users home / groups with the noexec flag.
No... GP is right. You can stop them from running native code if that's your goal, and maybe that's good protection against running dangerous system calls or god knows what.
BUT, they still have access to turing-complete languages, hell even full VMs via Java and Mono. If the goal was to stop them from running arbitrary code that interacts with the user, IE to stop them from playing games, you've lost. I wrote TiCalc programs to waste time in high school, I sure as hell can do the same in shell if I'm interested enough. Maybe your average user can't do it, but then they can bring their own laptop in and waste time on that, or sneak off to the bathroom and read a book.
These are battles you just can't win. Noexec should be used to guard against a potentially buggy kernel, nothing more.
"Of course you would have to do the same with python, bash, tcsh, awk, etc as well. That somewhat breaks the utility of the system."
It somewhat breaks the utility of the system *if you're a geek*. (like me).
If you're deploying these to people that need to use OO.o and a couple of other GUI apps, as general office workers do, then it doesn't break anything.
So your plan is to chmod all shells unexecutable then? This will break all the rc scripts, break posix compliance, break X, break openoffice, and likely a thousand other things. I guess you are right about one thing, a machine that won't boot is fairly secure.
Nursie, You are not a geek. You are a really long way away from being a geek. More of a luser in fact. Actually so much of a luser that you should not be allowed a root or administrator password on anything, ever. Or a normal user account for that matter. Go back to your etch-a-sketch for a few more years.
How about "bash virus.txt"?
I'd like to see that "solved".
(It is far from trivial to make bash non-executable - you essentially need to make a "kiosk")
Then again, that would be no different from what you'd be able to do anyway if you get a shell prompts; shell scripts are just sequences of shell commands, after all. I don't see the problem. If you don't want your users able to do stuff, then naturally, you need to give them a restricted shell, which you'd do either by putting rbash in their passwd entry, or locking down Gnome for them.
If you really feel the need to, that is; I never really understood the purpose of locking down a login session to begin with. Security problems shouldn't be solved that way anyway, and if it isn't security problems you're out to solve, then what is it that you're trying to do?
...learn and understand the capabilities of seLinux and read the NSA Security guides. They don't do it for you (would you really want them to???) they tell you how, step by step.
Be careful you don't lock you or your employees out of their own system... it is a possibility if you really go aggressive with seLinux enforcement.
That's a good point, but the kind of huge organization you mention will have in-house IT people who can that anyway, and I still think the advantage of a FOSS platform outweighs the relatively lack of ready-to-go deployment facilities.
That just isn't true. I personally worked on a project for two years with full executive support to migrate 30% of a 60,000 user enterprise to Linux. It failed in the PoC stages because we simply couldn't manage to the level our external regulation and internal mandates demanded at a reasonable cost.
If I'm understanding this correctly, you get application installation automation for free with your centralized repository, perhaps automated with cfengine, puppet, or even ssh-in-a-loop.
Puppet and cfengine provide the distribution services that SCCM/Zen/etc gives you -- actually, they probably do those things better from some points of view. FreeIPA will narrow the gap further once it is fully baked. But these solutions are missing a bunch of features useful to enterprises, particularly distributed enterprises. And SCCM is very cheap, and requires a small set of admins. Puppet/cfengine/FreeIPA will require more people with more sophisticated skillsets.
I define an "enterprise" as an IT environment whose needs are beyond the ability of one 3-8 person generalist group to perform. For a regulated industry like a bank, that may be as little as 30 people. For a more ad-hoc industry like a call center, the number may be much higher.
Conformity is the jailer of freedom and enemy of growth. -JFK
So I guess I am the only one who saw the headline and was excited that Starfleet was in fact considering Open Source...?
Could you elaborate on what you are trying to accomplish? Is it things like screensaver timeouts and NFS mounts or something more intricate?
In my _small_ network, the desktops (12) connect to a central ldap server for authentication and use NFS to mount home directories. For the (2) laptops I couldn't find a similar solution and created a local account with a local home directory that rsyncs to the server.
I have not found a good way to emulate GPO or centralized login script functionality.
"So your plan is to chmod all shells unexecutable then? This will break all the rc scripts, break posix compliance, break X, break openoffice, and likely a thousand other things. I guess you are right about one thing, a machine that won't boot is fairly secure."
You know that you can tune execute permissions by user, right?
Or are you so fucking retarded you though my solution was to make it impossible to run shells and interpreters across the whole system?
FUCKING RETARD.
Did you already take a look at Canonical Landscape?
http://www.canonical.com/projects/landscape
Use noexec in /home, /tmp, /var/tmp.
Use SELinux/AppArmor.
Set gconf defaults and mandatory settings.
Delete the user's appropriate .gconf folder in order to reset Gnome parameters should the user altered it's desktop beyond repair.
Use Kerberos/NFSv4/OpenLDAP.
Play AlienArena all day while you get paid.
I don't think that Windows could get even close.
http://www.canonical.com/projects/landscape
+1 plz
interactive hologram, or it didn't happen.
Everyone is treating this question like it is a joke. I guess none of you work in a e-comm environment. I say this because none of you apparently have not herd of PCI compliance. To be PCI compliant you need to lock desktops down. Things like usb write access, ftp ability to the outside world, and no local admin access for non-admin employees. So before you start typing ignorant statements about how dumb this is know your facts.
Hire me as a consultant and I'll implement it.
Well, for 2 I suppose you could use something like OCSInventory. For Group Policy I would think you're looking at Likewise Enterprise hooked into Active Directory, or something like CFEngine as listed above.
Opera, Proxomitron-Grypen,GPG 0x0A1C6EE3
For massive enterprise deployments with serious access control, I'd take a look at MIT's infra. They make their own distro, called Athena, and everything is managed with kerberos auth. Its a really beautiful setup. See here: http://web.mit.edu/ist/topics/linux/linux-athena.html
Another distro that I use regularly for high security and mandatory access control is Hardened Gentoo with the GrSecurity & PAX patches to the kernel. Works really well in an untrusted environment. Couple this to LDAP, kerberos, and portage for updates & its simple to manage 5 or 5000 machines.
Good luck!
http://www.canonical.com/projects/landscape
There are several tools mentioned that can configure your workstations to a "lock down mode"
one of the great things about linux is that all of these things can be configured via scripts and run on each workstation remotely.
There is a sourceforge project called rsudo that will allow an admin to run a script on every workstation in your environment. Allowing you to update rules in iptables and so on remotely and quickly across your entire environment.
"Ya, NO linux based company would EVER do something like that. "
Not only they wouldn't - they couldn't. They cannot revoke your user license (MS can) and you have the source code - so whether you get updates from redhat, Joe's code and update emporium, or you inhouse IT staff, they can't try to force you to change to their newer product by restricting the availability of updates. They don't own the code.
If you think Linux comes from a vendor, you just don't get it.
"Depending on the support contract, RedHat costs you anything from US$500 to US$thousands per year for updates."
Nope. Sorry. Simply not true. Updates are available regardless. Get over it. The whole model is not comparable to MS. Though millions of dollars change hands because lots of folks, including IT folks, just don't get it. Geez, I wonder if it is worth looking up the thread from maybe 4 years ago with IBMers who thought their support contract was a user license and they had to have it in place before they could use SLES.
But we in the community appreciate you dumping the money out there, even if it is on totally bogus assumptions.
Slashdot has gone to hell. Ask yourself this question. Am I really familiar with MS Active Directory and Group Policy management, as well as Unix administration, to the point where I can make a recommendation on how to maintain a network of Unix/Linux computers using AD and Group Policy (or equivalents)? If not, why are you making suggestions or claiming that the OP is doing something wrong? The OP and a few other posters get it and the rest of you don't and are making asses out of yourselves. Group policy is extremely useful. Here is the super short description. Group Policy is like DHCP, but for user and computer settings. Meaning, when a user logs on, all of these settings that are appropriate for him and his computer (which are a part of an organization) automatically happen. No configuration of that user's computer is necessary other than "joining it to the domain." The next day or next week or next year when a change is needed, it can be made in Group Policy and it is a done deal. Administrators who are used to this method of management probably like it and are unlikely to change away from it. It would increase adoption of Linux if we could provide most of the functionality of AD and GP on Linux on the server side and the client side. Samba 4 will be a big step in that direction. But what about the client side? A lot of the Group Policy objects could be just as useful in administering Linux workstations, servers, and users and groups that are members of a "domain."
Perhaps it's a silly, obvious question, but what does Google do to manage their own corporate desktops that run Goobuntu or other flavors?
There are hundreds of comments here and I'm not going to read them all so I apologise if I'm repeating something somebody else has said, but the Gnome tools for locking down a desktop are Sabayon (as I said above, not the distro) and Pessulus.
Sabayon is a desktop user profile manager and Pessulus is a Gnome lockdown tool. Sadly neither seems to have been updated in the last 3 years, maybe they did the job they were designed for, but I know people were using them.
Sabayon
Pessulus
It is easy to do this with command line tools. Here's one that might help:
http://freshmeat.net/projects/clusterssh/
But -- when IT policy becomes this draconian, it's probably time to look for another job elsewhere.
People need to be trusted enough to be able to install the tools that they need to get their job done in the most efficient manner that they know. There is no way for a centralized IT to be able to move as quickly as those they serve.
Yes, IT customers do need to be policed to a certain extent, but to a greater extent, this is a management issue better handled in an environment of trust between a manager and his employees.
Check out Novell's Zenworks Linux Management. I believe it's part of, or a subproduct of Zenworks Configuration Management.
As a Linux distributor who got his start in Linux in the early '90s (before the enterprise Linux boom), I think it is shameful to any and all Linux distro vendors to see the words "it's cheaper running M$" in any article on this subject! That is one of the core values on which Linux was founded; to remove the cost from the operating system. Redhat, Novell, and others all need to heed these warning signs and quit trying to profit from what they did not write.
If there is not a viable free open-source security solution available for Linux, it is our _responsibility_ as free software developers to create one... ASAP.
Anyone want to start a project to fix this little problem? Who's with me?
Updates are available regardless.
No, they're not. At least not in any comparable form.
The whole model is not comparable to MS.
That I can agree with.
See: http://www.ubuntu.sun.ac.za/wiki/index.php/KDE_System_Config as a possible solution if you use KDE only.
AD and GP often make no sense in the *nix world, as their are often much, much easier ways to do things.
Just because people get comfortable with a stupid way of doing things doesn't mean that Linux should copy it. Group Policy seems to be the current holy grail of MS System Administration, which seems slightly ridiculous, as much of it is either solutions looking for problems, or problems that were solved on *nix 10 years prior. But, without any specific things being requested, or details of the setup, it's rather hard to suggest pertinent things. It's linux, there are 5 - 500 different ways of doing things, but you only need to learn 1. The good news is that the 1 way will actually do what you want.
*nix is not about having huge systems that do everything, it is about having small tools that talk to each other in intelligent ways, and can be easily strung together to get almost any job done. The sysadmin tools are mostly like that too.
You may want to look at Landscape from Canonical (the driving force behind Ubuntu). For a direct comparison to Microsoft products it is a mix of features from Group Policy, SCOM, and SUS. It is decidedly not free with prices as high as $150 per client, but they offer volume discounts.
http://www.canonical.com/projects/landscape
http://www.ubuntulinux.org/news/landscape
Puppet only supports Ubuntu as a side effect of supporting Debian. If the poster is going to use Ubuntu they should review these warnings when considering Puppet.
http://reductivelabs.com/trac/puppet/wiki/PuppetUbuntu
"Tight control over computer resources by IT staff is certainly best practices for a secure network."
Having worked in at least one place that had policies set by network admins that defined my assigned tasks in support of muliti-million dollar inhouse software projects as 'subject to dismissal', I sorta feel tight control should only be given to folks with a clue. It was also funny that turning on X protocol on the network was subject to dismissal but the company just invested about $30 million in machinery whose admin tools were X based.
So, the concept that someone in an IT department might be doing something really stupid for the circumstances really has nothing to do with whether it is their responsibility - it has to do with whether it is stupid or not.
I did not claim it would be different.
I just said "noexec" flag is pretty much useless against viruses (+ stupid users but they are abundant).
I fully agree that trying to lock down login session is stupid in most cases (there are cases where there must not be anything other visible but a certain application - e.g. in factory floor).
"No, they're not. At least not in any comparable form."
I guess you have to define 'comparable form' since the entire OS and updates are available as white box ....
The updates are available. You can pay for quicker access and to use certain tools, but it is open source software, after all.
I disagree with your statement because you've missed the friggin' point. We're not talking about the "*nix world." We're talking about a mixed environment. We teach *nix how to new things everyday. Why not teach it to handle basic instructions that it receives from a domain controller if the administrator joined it to a Windows domain?
I know others and I have been saying this up and downthread, but seriously check out configuration management tools like puppet.
(1) is always going to start in Linux with creating your own repo (you can keep it in sync with just rsync, and sync things from your test repo to your production one after they pass testing) and creating RPMs (or .debs, whatever) for any custom software you're using.
Once you've got that in place, you can do (2) and (3) with your configuration management system, which will download new policy when the system comes on-net and enforce it continually even when off-net, just like Group Policy. Because the configuration is all text, you can easily programmatically edit it, keep it in version control, back it up, etc, and configuration management systems are completely object oriented for easy inheritance.
Of course this probably won't stop the maliciously brilliant or totally idiotic, but I've yet to see Group Policy do that either.
U.S. War Crimes blog. Email for free Mandriva support.
Somebody must make the policies. Management is not the group that should set policies, IT staff should. Obvoiusly it should be qualified staff. IT is going to be the most qualified.
Those tools don't exist because Linux allows plenty of better ways of accomplishing the same things. It is hard to build a GPO replacement when you can do pretty much all the stuff faster and easier without it provided you spend some time actually DESIGNING your network first.....
LedgerSMB: Open source Accounting/ERP
You have a point about Bash running non-executable shell scripts. However, in this case there are two things to consider:
1) Damage from such a script is likely to be quite contained (to the user's account) and
2) At least with Linux you have to take the gun out of the holster AND load it AND turn the safety off before you can shoot yourself in the foot. With Windows you can do this in one graceful motion....
A third point is that while it is quite possible to write a fork bomb/local file virus in bash, I am not entirely sure how you could write something much more dangerous without problematic permission issues as well.
Similarly, I have NEVER found Windows to be able to prevent me from running programs like Putty regardless of how locked down they are... You can get at least that far in Linux.....
LedgerSMB: Open source Accounting/ERP
1. http://wiki.systemimager.org/index.php/Main_Page
2. Create a "Golden Client" with all your apps, permissions etc and get its image onto a server.
3. Create install CD from this image on server.
4. Boot up client with the CD and walk away. New client ready in 8 minutes.
5. Done.
Disclaimer: You still need to
a) Create /dev/cdrom0 and /dev/floppy0 on each machine (SI doesn't do it.... strange)
b) Create new hostname on each machine if connecting to a Winblows network. /etc/hostname
sudo echo "newname" >
c) Reboot
You should ask this question on UUASC (Unix Users of Southern California - uuasc.org) instead. A good answer might be in here somewhere amongst all the crap, but that's the problem: a good answer might be somewhere amongst all the crap.
UUASC's readership is primarily highly experienced *nix admins, and there's doubtless many people working in mixed *nix/Windows environments. You're much more likely to get a good answer there, and to be able to find it.
HTH
Either learn Puppet (as mentioned many times before) or purchase a Kbox and training. The Kbox is a very powerful appliance (see the linked propoganda), plus its underlying OS is FreeBSD! We use it to push out patches and configs to our mixed-platform shop (ubuntu/fedora/XP/Solaris), as well as providing a web-based software repository where users can request software, a licence is assigned from a pool, and the install kicks off...
Note: I am not affiliated with Kace beyond running one of their sys management appliances, which I'm quite happy with.
1) Fire those employees you do not trust with the root password.
2) Give the root password to the remaining bunch.
Problem solved.
Why not just netboot them from a central image repository
You define the authorization levels within the image itself. Use Samba3 + Kerberos + LDAP to handle user accounts/authentication against a centralized LDAP store (with appropriate backup LDAP servers, also), handling things such as email addresses, etc (Postfix + LDAP).
This provides the better solution, in that to update all the workstations, you only need to update the boot image and maybe the DHCP server depending on how you choose to do it.
Secure the network using Squid + add ons with a proxy firewall. This way, you scan for virii at the network level also, and you can control your users' surfing. (The lower-level goof-offs and administrative assistants will hate it. The bosses will love it -- it can increase productivity significantly, and its all open-source).
Done correctly, you will also be able to lock down Windows/Solaris desktops via the LDAP server and group policy management tools from the respective OS.
Done correctly, you should deploy hard-drive-less machines and only allow device connections and media of your choice. You can force a virus-scan of inserted media (i.e. CD or key). You can limit what can be copied/burned to CD (prevents data theft). If you really know what you're doing, you could even permit only "authorized" USB keys to be connected -- or more easily none at all. (Disallowing the connection of USB key drives further prevents data theft or virus-importation.)
Its not just about controlling the desktop, you *must* secure the network and the data via all means possible to make any of it worthwhile. If you only secure the desktops and basic privileges, then users or miscreants can exploit it accidentally or intentionally.
While what I've outlined is not detailed (or complete), I've built out this exact system (including netbooting Windows/Linux/Solaris/FreeBSD on multiple architectures), and it provides simple central management (I used open-source GUI tools for LDAP management), a high level of security, and by being centralized, providing backup & redundancy is a breeze.
-- Felton Lichter
Try to lock it down.
Our company tried to do that- and failed. Those who needed admin access found ways to get it, which included taking their computers off the domain and reinstalling windows. Those who didn't know how to do this just suffered as they encountered problems with not being able to do things as admin. It created too many problems for the IT department and they came to the conclusion that locked desktops really offer no advantage over stringent virus detection and network monitoring combined with regular cleanups.
Don't try to prevent something bad, instead, try to detect it quickly when it happens.
Good suggestions. I need to keep the AD as there are a number of users who will stay on Windows e.g. Sales and CRM people who do not have equivalent windows binaries for their daily bread n butter applications. Most people are saying, "don't look at this from windows point of view..." - we're NOT! The reality is that we do need co-existence with Windows & Linux (and sometime MAC). Making it work together, managed centrally and complying with policy is the key. And by policy I mean everything that users are already accustomed to... employees who don't like our network policy (including admins) buy their own laptops and use the visitor networks. Like someone pointed out, corporate liability for management is such a huge concern...
I think you got the big picture very very well. Question is, do you have any solutions? Company assets have to be protected as per company terms... Can't understand why people question that? Check your personal email on your personal laptop!
Policies for running programs can be controlled via the sudoers file, using groups.
sudo can use policies stored in LDAP directly ...
(cool, a response from the article submitter!)
Maybe I can help you more than I had initially thought; you have the same goals and limits that I do. Most of my engineers (plus a few other tech-savvy users) use Linux on their own systems. Those that still need Windows have a VM. As we're a small company (this is where we differ), I don't police anything on their systems, though interns and co-ops don't get sudo or root. From another position I held elsewhere, CFengine and friends were the tools we considered for further locking down Linux systems and centralizing their maintenance.
If they attach the Windows VM to the domain, it automatically receives anti-virus, MS Office 2003, Skype, Acrobat Reader 8 (9 has AD problems and security issues), PDFcreator, 7-zip, ISOrecorder, and Firefox, plus the option of installing Thunderbird, TortoiseSVN, and a few other MSIs through the under-utilized Add/Remove Programs interface.
We decided since Windows is so picky about its LDAP and AD offerings, and Samba is not yet capable of implementing them without issues, we'd host LDAP and AD on Windows 2003 (with two peered w2k3 servers). We host NIS and the like for Unix logons within the AD User Profiles, so we have our centralized authentication (on Windows, sadly). Data is stored on a NetApp (which could as easily be a Linux or OpenSolaris box running Samba for a quarter the price) for full reliability and to ensure the ability to properly serve NFS.
Any time we review the Windows apps, I push hard for web-based options. I'm soooo close to moving us from GoldMine to SalesForce or SugarCRM, for example, which would (mostly) detach the sales team from its Windows dependency (we already moved from MS Project to Project.net). After that, all that would remain are QuoteWerks and QuickBooks. I'm also eagerly awaiting Thunderbird 3 for its improved calendar support so as to migrate users off of Outlook (yes, I know about Lightning, but I'm also tied down by the lack of a server-based calendaring solution, plus the GoldMine/Outlook integration).
Use my userscript to add story images to Slashdot. There's no going back.
FUCKING RETARD.
Anger is always the last response from someone who has run out of arguments. You don't understand what you are talking about. Sorry to upset you, but that's the truth.
Instead of getting all pissed off why don't you try your chmods on a linux machine and see how it breaks.
I respectfully disagree.
1. They can steal your passwords (etc. with xmodmap, xev, ...), redirect your browsing through their machine if needed - unencrypted (by changing .bashrc/http_proxy). And pretty much anything else you can imagine (change thunderbird smtp host, alias sudo, ...).
AND
They can use your machine to run botnets.
What more could you possibly want to do? You really should not underestimate bash (+ other necessary executables).
2. I do not give a flying fuck about "being better than windows" - it is a ridiculously low bar.
You don't have to give the user permission to write to .bashrc, etc. Generally speaking I would probably take the risk of letting most users write to it who specifically ask for it. But there is no reason to do this by default.
In fact, nearly every important aspect of the settings can be locked down this way.
Now, if you want to restrict the ability to run botnets, etc, you could lock down each machine's iptables rulesets properly, etc.
The point here is that you can arbitrarily limit the damage done to the machine in this way. This doesn't preclude exploiting security oversights to get privilege escellation, and although SELinux can help with that the fundamental math shows that you can't count on IT to be free of such exploits either.
Finally the only point of drawing comparisons to Windows is because that is what the original article suggested. You are right, it is a rediculously low bar, but if we are pointing out the flaws that Linux has in this regard without the comparison, it gives the wrong impression to someone who IS trying to lock down Linux systems at least to the point that they are locked down with Windows.
LedgerSMB: Open source Accounting/ERP
I stopped reading the replies part-way through but I think this is sadly hilarious.
There are too many people here who know a thing or two about Windows and a thing or two about Linux and don't have a clue about the other, all demonstrating their ignorance more than the thing or two they know.
I'll tell you one thing I know: Too many IT salaries suck and there are obvious reasons for it.
Pluggable Authentication Modules will let you specify what groups get what resources, and LDAP will provide a central server for all clients to query. Learn how to modify your pam.conf, know what values to store in user accounts in openldap, and you'll quickly be able to do anything you want to with user accounts and logins.
You don't have to give the user permission to write to .bashrc, etc.
In practice you do. Otherwise you must prohibit writes to $HOME. Doable, but inconvenient, and does not give much: a running virus can send letters to an open shell which can do everything .bashrc can.
Smtp (spam) sender is a (limited kind of a) botnet. Locking it down is very, very hard.
You can do the locking but you most likely lose more than you gain, especially in administration (there certainly are programs which do not work without write access to $HOME).
But then you *can* do it in Windows too (by white-listing approved programs and disallowing everything else).
Neither is done in large scale because it is labour intensive: list persons and their "approved" programs, keep those up to date for X persons and Y programs + patches ... I'd not recommend it.
All in all: doable but hardly practical (except in a "kiosk"). Not something to brag about.
I am not sure. If you write all sorts of things (which can the be run) on your home directory, these are temporary changes and do not last beyond a logout/re-login (if you deny execute access to nohup as well). Combined with sane idle-or-logout policies this can go a long way towards containing damage.
The key issues are 1) How long can a problem persist and 2) what can be accomplished through it. These are the key questions that I think are most important to ask. If you can minimize both of these as well as the impact on the user, that is great. Locking down .profile, .bashrc, etc. files can go a long ways towards limiting a bash script to its own environment and preventing it from spreading influence to other newer shell instances or beyond the next logout and login.
None of this prevents someone from doing something like:
* copy the offending virus code from an email
* open a bash shell
* type: cat | bash
* paste contents.....
Changing bash to check for executable file flags won't fix that either.... If you deny from a pipe, then that doesn't prevent the even simpler workflow:
* copy the offending virus code from an email
* open a bash shell
* paste contents...
The key issue then becomes acceptable risk.
LedgerSMB: Open source Accounting/ERP
I guess you have to define 'comparable form' since the entire OS and updates are available as white box ....
How about "direct from the vendor, in a supported and trusted form".
This is the comment I was replying to:
Redhat and Ubuntu will update your system to the latest version (think Vista in MS land) for the same price of the SP3 update to a legacy OS.
Red Hat will most certainly NOT "update your system to the latest version" for "free".
For starters, use KDE (kubuntu). If the users are migrating from a windows world the transition will be much easier. Quite frankly gnome is garbage anyway.
In the KDE world there is kiosktool, see http://www.linux.com/feature/114306.
"This is the comment I was replying to:
Redhat and Ubuntu will update your system to the latest version (think Vista in MS land) for the same price of the SP3 update to a legacy OS."
OK, that wasn't mine.
"How about "direct from the vendor, in a supported and trusted form"."
Given that definition, then I believe you are correct about RedHat. Note, that is not true of Novel/SLES/SLED.
The whole thing seems a bit silly. If you like the way RedHat software is laid out, or have an application which tells you you need it (lets not go down the road at how absurd that is) but don't want to pay for RHN access, there are multiple alternatives based on the same source code. Yeah open source.
The bottom line is that if someone is stuck in the MS mentality and doesn't take a moment to understand what open source means - in terms of the options for support that just doesn't exist under any closed source business model, then you will miss out.
And I have been involved in too many face to face instances of folks just flat saying 'that can't be true' because they are just unaware of what open source means.
Now that said, the comment you were referring to, I thought was actually a leering reference to the fact that you could buy an 'update' to Vista that gets you to XP. Remember, it is also true in the open source world, that if you want a nice shiny install medium you don't have to build, or often printed manuals - you can pay something around the Vista upgrade price for a boxed set.
I still recommend OpenSuSE boxes to folks for that nice documentation. 8-)
have many large business, switched to linux for their complete desktop solution.
I mean for word processing and spreadsheets?