Locking Down Linux Desktops In an Enterprise?

supermehra writes "How do you move 300 desktops, locked down with Windows ADS Group Policies (GPO), over to Ubuntu desktop? We have tried Centrify, Likewise, Gnome Gconf, and the like. Of course, we evaluated SuSe Desktop Enterprise and RedHat Desktop. Samba 4.0 promises the server side, however nothing for desktop lockdown. And while gnome gconf does offer promise, no real tools for remotely managing 300 desktops running gnome + gconf exist. All the options listed above are expensive, in fact so expensive that it's cheaper to leave M$ on! So while we've figured out the Office suite, email client, browser, VPN, drawing tools, and pretty much everything else, there seems to be no reasonable, open source alternative to locking down Linux terminals to comply with company policies. We're not looking for kiosk mode — we're looking for IT policy enforcement across the enterprise. Any ideas ladies & gentlemen?"

MOD PARENT UP

[serviscope_minor]

Mod parent UP. The OP is thinking about it wrong: ie how to manage unix in the style of windows. Don't give them root and they can't install software. Make sure the home directories an /tmp is moutes -noexec and there is NO WAY that they can run programs which aren't already installed.

Now they can have free run of the system and can't do anything harmful. Still not satisfied? Remove all executables that they shouldn't run, or make them a-rx g-rx, and don't have users in the group able to run them.

You can create an RPM to do this for you, then set up the whole thing automagically using Redhat's or SUSE's tools (one is called kickstart). I suspect it is straightforward on debian based systems, too.

If you have the autoupdater running (good for security), then update the setup RPM, put it in your local repository, and sit back as all the desktops get updated with new settings.

Alternatively, you can bodge it with shell scripts and a cron job :-)

 

Re:What are you trying to do?

[msobkow]

I admit I'm puzzled at the issue of "lockdown" myself.

For years whenever we needed to lock down a *nix account, the sysadmins would install the software as root and set up the user accounts in capture mode (i.e. .login starts the X session, and the X session doesn't have the ability to add/remove programs.)

I can't imagine needing to lock down a session any tighter than that, and I've never seen a Windows desktop that was locked down any tighter, either.

Re:What are you trying to do?

[whoever57]

You are looking at it from a system security perspective, not "IT Policies" perspective. He needs to be able to disallow solitare, force all connections through a proxy server for web filtering, pass down 802.1x keys, force people to use a certain network printer, etc...

All these can be enforced using control of the services. The problem statement reflects the Microsoft/Windows way of doing things. Turn it around and ask how the network can enforce the policies.

Proxy: the firewall can enforce this. Users don't use the correct proxy? No web access. Printers: Configure the printer to allow only certain users/groups, etc. etc..

Re:How about: less douchebaggery?

[Architect_sasyr]

You can't get root without proving your competence and signing an agreement that says you will only install apps that have been approved.

Sometime ask for permission to edit a config file for, say, a webserver to save the admin time. In fact, ask for vi permission because that's your favourite editor:

sudo vi /etc/httpd/httpd.conf
Password:
:sh
sh#

Just a random "trick" you can use to get around things like that. To OP:

I manage my 200-odd machines via ssh-keys and push scripts each night. It's not as pretty as a GUI, but I don't need pretty, I need functional. I keep a machine loaded with an accurate configuration of what should be out there, and every time I make a change on the test machine that I am happy with, I migrate it to the live machine, which pushes out the scripts. But I like the parents post theory anyway, despite what this post may have looked like.

Re:How about: less douchebaggery?

"Like screen savers that try and install crap along with it, then there'll be all the support calls why isn't it working."

Using my remote control truth extractor, I can detect thoughts that are in your brain but not passed to your fingers on the keyboard. Combining your post with the truth extractor, I get the following:

"Treating adults like adults is good in theory, but when you have 300+ people trying to..."
Do their jobs
"...you want to take away as much..."
productivity
"...as possible." So we can feel like we are in charge of something. Even the little people need to feel big every so often. In order to keep our jobs, we need to make sure people need us. Thanks to lockdowns, they will.

Is that awesome technology or what?

Would you rather make people stop working and call the helpdesk when they need some kind of app that is (a) harmless and (b) freely available? And it's OK if they wait: 15 minutes? an hour? all day? So you can prevent a call from a guy who screws up the SCREEN SAVER???

Instead of making Mr. Screensaver wait in the queue because of his counterproductive antics, YOU MAKE EVERONE ELSE WAIT INSTEAD???

Such a strategy would only make sense if >50% of all calls were for unnecessary/unauthorized things. And IF that were true, then a lockdown would work so well that support staff could be cut, right?

Any wonder why IT departments are referred to as the "preventers of information services"???

What happens if they boot Knoppix from CD? Works pretty well in Windows shops as well. Lockdown the BIOS from CD boot? There are numerous published backdoor passwords; almost every BIOS has one.

BTW, this is a much bigger problem in Windows shops, where people tend to go crazy with pirated stuff, trial versions, spyware, and network bandwidth wasters -- all of which contribute to real risks and system instability. Taking away root access solves most of this in Linux, whereas in Windows it's the full employment act for the helpdesk unless you surrender to the draconian tradeoffs described above.

Re:You don't

[DavidRawling]

I think the point of the G...GP post was that you can't easily push this out remotely, and on Linux you have to write it, support it and debug it yourself, including all the niggly corner cases.

Frankly Windows has some cool Enterprise stuff that makes this easier.

1. WSUS. Centrally administer the set of updates permitted to clients and servers. Linux version: Maybe set up a repository for your corp distro - but how to sync and manage the updates is what I don't know here.
2. SCCM / Zenworks / Others. Roll out an application to user desktops whether they're on-net or not. I can push Office to a machine 500mi from one of my offices. Well, OK the admins, I'm a consultant (a contraction of Con and Insult). I get reporting, auto retry, auto download with bandwidth optimisation. Linux version: I honestly don't know. I never hear about this and it's a major, major part of TCO for the desktop, so there must be SOMETHING - and I'd love to know about it.
3. Group Policy. Push out settings, apps, scripts without any admin access. Disable apps (or provide a white list of apps - hey no more goddamn spyware it's the single most sensible way to protect a Windows box from this crud). A single change in one location with enforced application to the desktop, when the desktop is on-net (those remote users have to change passwords eventually)! Marketing wants a new desktop background across the company (and the CEO has OK'd it)? Sure, give me the file, generally speaking it's on 95% of online machines in under an hour, with no user ability to turn it off. And hey, it's a company machine. Do you expect to repaint the company walls sky blue because you don't like puce?

It's worth noting that these policies aren't Microsoft deciding willy-nilly how you will use your computer. It's the Fortune 500+ companies, and their equivalents in Europe, Asia-Pac etc, who have requested this. They have very big wallets. They spend way more on MS than we do. And apparently some dorkwad once determined that allowing users to set their own desktop background wastes time and thus money, so they want to lock things down, protect themselves from lawsuits etc, and ensure they are paying people to work, not skive off typing long comments on /. ...

Ahem. As I was saying.

In these sorts of cases (desktop wallpaper, sound schemes), to me, the benefit is not time and money, it's the ability to avoid a lawsuit because Big Stu the ladies' man in the centre of the office decided to have some porno chick as his wallpaper and porno sounds for new emails et al. And the 30 women around him get offended and sue the company for letting him be a dickhead even though there's a clear policy in place.

Re:You don't

[QuoteMstr]

I think the point of the G...GP post was that you can't easily push this out remotely, and on Linux you have to write it, support it and debug it yourself, including all the niggly corner cases.

That's a good point, but the kind of huge organization you mention will have in-house IT people who can that anyway, and I still think the advantage of a FOSS platform outweighs the relatively lack of ready-to-go deployment facilities.

WSUS. Centrally administer the set of updates permitted to clients and servers. Linux version: Maybe set up a repository for your corp distro - but how to sync and manage the updates is what I don't know here.

Any of the major repository systems can be set up in a custom configuration with client machines automatically sucking packages up from a central company repository. Redhat's up2date and satellite systems are especially geared toward this kind of deployment.

SCCM / Zenworks / Others. Roll out an application to user desktops whether they're on-net or not. I can push Office to a machine 500mi from one of my offices

If I'm understanding this correctly, you get application installation automation for free with your centralized repository, perhaps automated with cfengine, puppet, or even ssh-in-a-loop.

Group Policy...

This is hard, and I'll admit Windows has an edge here, though personally, I feel like that's a little bit about North Korea having an edge in oppression compared to the US; it's not necessarily something desirable.

That said, if you must do something like this, there are ways. Other comments for this article address this point better than I do. For starters, there's kiosk mode "KDE's Kiosk Mode, allows a system administrator to configure all aspects of the desktop for an end user and optionally prevent the end user from making modifications to the provided setup."

Gnome also supports a lockdown system.

And as a last resort, you can always patch the software and distribute the patched version to all your machines.