Slashdot Mirror
Locking Down Linux Desktops In an Enterprise?
supermehra writes "How do you move 300 desktops, locked down with Windows ADS Group Policies (GPO), over to Ubuntu desktop? We have tried Centrify, Likewise, Gnome Gconf, and the like. Of course, we evaluated SuSe Desktop Enterprise and RedHat Desktop. Samba 4.0 promises the server side, however nothing for desktop lockdown. And while gnome gconf does offer promise, no real tools for remotely managing 300 desktops running gnome + gconf exist. All the options listed above are expensive, in fact so expensive that it's cheaper to leave M$ on! So while we've figured out the Office suite, email client, browser, VPN, drawing tools, and pretty much everything else, there seems to be no reasonable, open source alternative to locking down Linux terminals to comply with company policies. We're not looking for kiosk mode — we're looking for IT policy enforcement across the enterprise. Any ideas ladies & gentlemen?"
Use puppet to enforce configuration: http://reductivelabs.com/products/puppet/
A desktop where the user does not have su/sudo access is already pretty locked down -- the user can only write to his home directory and other directories that he/she has access to through normal permissions.
If you really want to lock it down, the user's home directory can be mounted in such a way that files cannot be executed from there.
What elso is required?
The real "Libtards" are the Libertarians!
SELinux is not what he's looking for.
If you just manage the users properly and NFS mount applications it almost takes care of its self and don't need an extra layer of complexity.
use PXE+XDMCP and the workstations be come irrelevant
---- Booth was a patriot ----
You feel Linux isn't ready for the desktop, or Linux isn't ready for your desktop?
http://sourcemage.org/ - Have fun
Unfortunately, few people in the Unix world seem to grasp what Group Policy is used for in Windows.
It's not simply preventing users from installing software.
Group policy is a set of policies that gevern everything from security policies, to application policies (for instance, say you want all users in a specific AD OU to use a specific proxy server, or maybe you want to limit all computers in a given lab from being able to use an MSN Messenger.
GP can be assigned to specific computers, groups of computers, users, groups of users, and a whole host of situations. The nice thing about it is that it's AD wide, and controls the user or the computer regardless of where, or what may be installed on the machine or how it's configured locally.
If you need web hosting, you could do worse than here
(1) Don't install any solitaire program. Mount users' home directories noexec, don't give users root access. They won't be playing solitaire. This also prevents them from downloading solitaire off the web... blocking winsol.exe in Windows group policy doesn't stop any of this, and doesn't stop users from copying winsol.exe to some innocuous filename like C:\excel.exe
(2) iptables rules can be set to deny web access except through the proxy.
(3) Passing keys is just a single example of central config management, there are tools for this as well, like cfengine, bcfg2.
Vim supports a mode referred to as 'restricted' mode.
i.e. cp /usr/bin/vi /usr/bin/rvi
Give the user permission to run 'rvi' instead of permission to run 'vi'
Also, you needn't give root to do that; modern distros have these things called 'group permissions', or even ACLs.
You can create that user a special non-root user that they 'sudo' to in order to edit the config file, and an ACL permits just that particular user to edit the particular allowed config files.
Sneaker net?
This is linux. You do it all remotely, and you can build clone the machines pre-set up
exactly the way you want them.
This is not hard. But first you have to purge the microsoft mentality from your thinking.
Forget Sneakernet. Think more Fat-Ass net. Like me sitting here on my fat ass managing
a dozen machines for naive users located 1400 miles away.
You just never give users root access, and you set your permissions properly.
You can use SeLinux, AppArmor, or any number of free management tools that
all work remotely. You don't have to rely on everyone to act nice because
you can lock it down just as tight as you want.
If its a business, why not start with a business solution like Novell SLED.
Its made for the enterprise. And it locks down nicely.
None of this stuff is free in the windows world, but its all available
for free in the Linux world, OR you can pay for it and still save money
over Windows.
But there are free remote management utilities included with every Linux distro.
Its called ssh.
Sig Battery depleted. Reverting to safe mode.
This kind of stuff is why NFS-mounted home directories are just wonderful. If my machine kicks the bucket, I can grab a new one, install an OS on it, and get back to where I was before in half an hour. In a larger organization, an imaged system would work even better.
Now, as for mass configuration changes, cfengine is your friend.
Didn't I mention bcfg2? cfengine and bcfg2 are tools that is used to do just that, force tens of thousands of machines to comply with approved configurations, and remediate machines that don't, by making them match the approved configurations.
And yes, you can remove software, set iptables rules, distribute keys, etc, using pre-made open source software available for Linux.
Which is not the same as 'sudo rvi'. You can set sudo to only allow certain commands, so if you allowed 'sudo rvi', you couldn't run 'sudo ~/vi'.
sudo filters by the command executed (I've seen things restricted to full command line - i.e. sudo killall -HUP ircd but not sudo killall ircd).
There's an old saying that says pretty much whatever you want it to.
cssh is great for a handful of computers, but for the 40,000 boxen, try cfengine