Slashdot Mirror
Locking Down Linux Desktops In an Enterprise?
supermehra writes "How do you move 300 desktops, locked down with Windows ADS Group Policies (GPO), over to Ubuntu desktop? We have tried Centrify, Likewise, Gnome Gconf, and the like. Of course, we evaluated SuSe Desktop Enterprise and RedHat Desktop. Samba 4.0 promises the server side, however nothing for desktop lockdown. And while gnome gconf does offer promise, no real tools for remotely managing 300 desktops running gnome + gconf exist. All the options listed above are expensive, in fact so expensive that it's cheaper to leave M$ on! So while we've figured out the Office suite, email client, browser, VPN, drawing tools, and pretty much everything else, there seems to be no reasonable, open source alternative to locking down Linux terminals to comply with company policies. We're not looking for kiosk mode — we're looking for IT policy enforcement across the enterprise. Any ideas ladies & gentlemen?"
Use puppet to enforce configuration: http://reductivelabs.com/products/puppet/
A desktop where the user does not have su/sudo access is already pretty locked down -- the user can only write to his home directory and other directories that he/she has access to through normal permissions.
If you really want to lock it down, the user's home directory can be mounted in such a way that files cannot be executed from there.
What elso is required?
The real "Libtards" are the Libertarians!
SELinux is not what he's looking for.
If you just manage the users properly and NFS mount applications it almost takes care of its self and don't need an extra layer of complexity.
use PXE+XDMCP and the workstations be come irrelevant
---- Booth was a patriot ----
You feel Linux isn't ready for the desktop, or Linux isn't ready for your desktop?
http://sourcemage.org/ - Have fun
You can't install apps without root.
You can't get root without proving your competence and signing an agreement that says you will only install apps that have been approved.
It changes from being a "lockdown the desktop" problem, to an "unlock the desktop for people who absolutely need it, and closely monitor their activities" problem.
Unfortunately, few people in the Unix world seem to grasp what Group Policy is used for in Windows.
It's not simply preventing users from installing software.
Group policy is a set of policies that gevern everything from security policies, to application policies (for instance, say you want all users in a specific AD OU to use a specific proxy server, or maybe you want to limit all computers in a given lab from being able to use an MSN Messenger.
GP can be assigned to specific computers, groups of computers, users, groups of users, and a whole host of situations. The nice thing about it is that it's AD wide, and controls the user or the computer regardless of where, or what may be installed on the machine or how it's configured locally.
If you need web hosting, you could do worse than here
(1) Don't install any solitaire program. Mount users' home directories noexec, don't give users root access. They won't be playing solitaire. This also prevents them from downloading solitaire off the web... blocking winsol.exe in Windows group policy doesn't stop any of this, and doesn't stop users from copying winsol.exe to some innocuous filename like C:\excel.exe
(2) iptables rules can be set to deny web access except through the proxy.
(3) Passing keys is just a single example of central config management, there are tools for this as well, like cfengine, bcfg2.
Vim supports a mode referred to as 'restricted' mode.
i.e. cp /usr/bin/vi /usr/bin/rvi
Give the user permission to run 'rvi' instead of permission to run 'vi'
Also, you needn't give root to do that; modern distros have these things called 'group permissions', or even ACLs.
You can create that user a special non-root user that they 'sudo' to in order to edit the config file, and an ACL permits just that particular user to edit the particular allowed config files.
Sneaker net?
This is linux. You do it all remotely, and you can build clone the machines pre-set up
exactly the way you want them.
This is not hard. But first you have to purge the microsoft mentality from your thinking.
Forget Sneakernet. Think more Fat-Ass net. Like me sitting here on my fat ass managing
a dozen machines for naive users located 1400 miles away.
You just never give users root access, and you set your permissions properly.
You can use SeLinux, AppArmor, or any number of free management tools that
all work remotely. You don't have to rely on everyone to act nice because
you can lock it down just as tight as you want.
If its a business, why not start with a business solution like Novell SLED.
Its made for the enterprise. And it locks down nicely.
None of this stuff is free in the windows world, but its all available
for free in the Linux world, OR you can pay for it and still save money
over Windows.
But there are free remote management utilities included with every Linux distro.
Its called ssh.
Sig Battery depleted. Reverting to safe mode.
This kind of stuff is why NFS-mounted home directories are just wonderful. If my machine kicks the bucket, I can grab a new one, install an OS on it, and get back to where I was before in half an hour. In a larger organization, an imaged system would work even better.
Now, as for mass configuration changes, cfengine is your friend.
Didn't I mention bcfg2? cfengine and bcfg2 are tools that is used to do just that, force tens of thousands of machines to comply with approved configurations, and remediate machines that don't, by making them match the approved configurations.
And yes, you can remove software, set iptables rules, distribute keys, etc, using pre-made open source software available for Linux.
The problem with making things idiot proof is you generate a better class of idiot.
As to the problem at hand, there are tons of things you can do to keep users out of trouble. Biggest one is, keep them from accessing sudo. Easiest way to do that is, create an 'admin' account on the machine before generating user accounts. Only the first user account on a Ubuntu machine has sudo access automagically. Additional users need to be added manually to the sudo group. Remove any and all software that you don't need. What those software pieces are would depend on your application. Then add the necessary maintanance scripting run as cron jobs, things like apt. Edit the /etc/apt/sources.list to restrict repositories. What I'd do then is, recut a master CD using Ubuntu Customisation Kit so you have a 'standard' install, and set up an inhouse repository for updates, fed from the inhouse server. Since the workstations only look at the inhouse repository, they should only be able to install from the local server. And if they're locked away from apt, that shouldn't be a problem.
Understanding the scope of the problem is the first step on the path to true panic.
This is just wrong. Even in the Windows world. You don't need to be root to "install" a program (and what is with the "install" mentality anyhow?) Someone can happily place a binary in their home directory, or /tmp, or wherever they have write permissions and run it (note the next paragraph).
And relying on noexec? /usr/bin/perl is usually executable, as is /usr/bin/php, /placeyourfavoriteinterprethere and can run any script you tell it to regardless of the noexec bit on the partition you mounted. For that matter, there's always ld.so, ld-linux.so, ld-linux-x86-64.so or whatnot (depending on your Linux distribution and hardware) if you want to load a binary (/lib/ld-linux-x86-64.so.2 binarynamehere). And note, ld.so will bypass any noexec bit on a partition (and also don't care if the binary is set executable or not)
What you are forgetting is that most companies, especially large companies ARE boring places staffed by a high percentage of mediocre people. Large organizations have a large amount of administrative overhead, and the vetting process is long, convoluted, and inefficient. It's just the nature of the beast.
1) IT staffed by control freaks? Well duh! It's the only way they can appear to be doing something and not getting their asses handed back to them if anything goes wrong...
2) Trust? How much do YOU trust people you know just barely well enough to remember their name? And anytime you get more than 5 people together, they start grouping up and taking sides. Disputes soon follow. Care to guess what it's like when there are 500?
3) Hiring standards? Have you seen who applies to Monster.com ads? As an employer, I can say the domain name is appropriate...
4) unrealistc expectations... It's often hard enough to simply establish expectations at all. 5) Morale? You want to talk about morale!?!? Large companies spend months rolling out big updates like using actual coffe in the coffe makers at their 2,000 store fronts, or on 6 month programs toget locations to clean their bathrooms. Wait until you spend a man-week working yer ass off because somebody didn't know what 'historic' meant, only to find you didn't need to do anything at all. Then see what your morale is like.
6) Unmotivated employees? Your average wage slave is motivated by a desire to do as little as possible and not get yelled at.
Go work at/for/with some large organizations sometime. You'll see why Dilbert is so popular - not because it's quirky and off-beat but because IT'S TRUE!
I have no problem with your religion until you decide it's reason to deprive others of the truth.
Guess what? noexec doesn't do jack shit on the majority of Linux systems, and does not prevent anybody from running a. You know why? /lib/ld-linux.so.2. (On x86_64, there's also /lib64/ld-linux-x86-64.so.2.)
Oh really? Seeing how mmap(2) requires the PROT_EXEC flag to make segments executable in the MMU, and checks those flags against the mode of the i-node, I found that hard to believe, and have it a try. These are the results:
Which is not the same as 'sudo rvi'. You can set sudo to only allow certain commands, so if you allowed 'sudo rvi', you couldn't run 'sudo ~/vi'.
sudo filters by the command executed (I've seen things restricted to full command line - i.e. sudo killall -HUP ircd but not sudo killall ircd).
There's an old saying that says pretty much whatever you want it to.
Adn how long would it take me to SSH into 40,000 desktops to update Adobe Reader 8 to Adobe Reader 9, because there is some new feature that someone decided we just have to implement?
How long to copy the browser link to 40,000 desktops to comply with a mandatory ethics reporting plan we had to put in place? How long to patch 40,000 kernels for a security hole that must be resolved within 72 hours due to Corporate Information Security policy?
you guys that complain about heavy handed IT policies don't realize, that we don't even drive a lot of this stuff. If it was an IT idea, no one would ever give us the money we need to buy these tools. It's all driven from the top down.
Perhaps you've never heard of cssh?
I use it to patch and update ~ 15 linux machines at the same time--in about 3 minutes. Patching a comparative number of Windows servers takes 30 minutes and a reboot.
In all seriousness though, cssh might not work so well for 40,000 machines. You'd probably have to have a 70 inch monitor...
There's no place like
Installing a pre-packaged app is difficult without su privileges, but you can easily build something in a directory that you can set files to executed.
Group policy in Windows is about stopping casual users from breaking policy too easily. Experienced professionals have means to circumvent protections on their workstations.
You can't easily build a thing without compilers, esp. when your home directory is on a filesystem mounted NOEXEC, so you can't run binaries from it.
And Esp. when disk quotas are in place, such that large binaries would set off alerts, and get sysadmins probing around to find out why you suddenly got a few hundred megs of .o files in your directory.
If you're concerned about users compiling their own binaries, then you should be just as concerned about them booting their systems from a CD or USB stick, or opening the case, swapping out the hard drive, or booting single user and gaining root, and goofing off in an OS you have no control over.
cssh is great for a handful of computers, but for the 40,000 boxen, try cfengine
Or, Trolly McSourface, if you read the myriad of other responses, it works just fine. Simply don't install games in the default OS install (trivial), and mount the filesystems as noexec (can you even do that in Windows, your oh so powerful OS? Not that I'm aware of...). Done.
And yeah, that doesn't make it any less of a dumb idea.
In windows, the user just downloads some stupid solitaire off the web, or brings one from home that or something that doesn't require installation.