Locking Down Linux Desktops In an Enterprise?

supermehra writes "How do you move 300 desktops, locked down with Windows ADS Group Policies (GPO), over to Ubuntu desktop? We have tried Centrify, Likewise, Gnome Gconf, and the like. Of course, we evaluated SuSe Desktop Enterprise and RedHat Desktop. Samba 4.0 promises the server side, however nothing for desktop lockdown. And while gnome gconf does offer promise, no real tools for remotely managing 300 desktops running gnome + gconf exist. All the options listed above are expensive, in fact so expensive that it's cheaper to leave M$ on! So while we've figured out the Office suite, email client, browser, VPN, drawing tools, and pretty much everything else, there seems to be no reasonable, open source alternative to locking down Linux terminals to comply with company policies. We're not looking for kiosk mode — we're looking for IT policy enforcement across the enterprise. Any ideas ladies & gentlemen?"

MOD PARENT UP

[serviscope_minor]

Mod parent UP. The OP is thinking about it wrong: ie how to manage unix in the style of windows. Don't give them root and they can't install software. Make sure the home directories an /tmp is moutes -noexec and there is NO WAY that they can run programs which aren't already installed.

Now they can have free run of the system and can't do anything harmful. Still not satisfied? Remove all executables that they shouldn't run, or make them a-rx g-rx, and don't have users in the group able to run them.

You can create an RPM to do this for you, then set up the whole thing automagically using Redhat's or SUSE's tools (one is called kickstart). I suspect it is straightforward on debian based systems, too.

If you have the autoupdater running (good for security), then update the setup RPM, put it in your local repository, and sit back as all the desktops get updated with new settings.

Alternatively, you can bodge it with shell scripts and a cron job :-)

 

Re:How about: less douchebaggery?

"Like screen savers that try and install crap along with it, then there'll be all the support calls why isn't it working."

Using my remote control truth extractor, I can detect thoughts that are in your brain but not passed to your fingers on the keyboard. Combining your post with the truth extractor, I get the following:

"Treating adults like adults is good in theory, but when you have 300+ people trying to..."
Do their jobs
"...you want to take away as much..."
productivity
"...as possible." So we can feel like we are in charge of something. Even the little people need to feel big every so often. In order to keep our jobs, we need to make sure people need us. Thanks to lockdowns, they will.

Is that awesome technology or what?

Would you rather make people stop working and call the helpdesk when they need some kind of app that is (a) harmless and (b) freely available? And it's OK if they wait: 15 minutes? an hour? all day? So you can prevent a call from a guy who screws up the SCREEN SAVER???

Instead of making Mr. Screensaver wait in the queue because of his counterproductive antics, YOU MAKE EVERONE ELSE WAIT INSTEAD???

Such a strategy would only make sense if >50% of all calls were for unnecessary/unauthorized things. And IF that were true, then a lockdown would work so well that support staff could be cut, right?

Any wonder why IT departments are referred to as the "preventers of information services"???

What happens if they boot Knoppix from CD? Works pretty well in Windows shops as well. Lockdown the BIOS from CD boot? There are numerous published backdoor passwords; almost every BIOS has one.

BTW, this is a much bigger problem in Windows shops, where people tend to go crazy with pirated stuff, trial versions, spyware, and network bandwidth wasters -- all of which contribute to real risks and system instability. Taking away root access solves most of this in Linux, whereas in Windows it's the full employment act for the helpdesk unless you surrender to the draconian tradeoffs described above.