Locking Down Linux Desktops In an Enterprise?

supermehra writes "How do you move 300 desktops, locked down with Windows ADS Group Policies (GPO), over to Ubuntu desktop? We have tried Centrify, Likewise, Gnome Gconf, and the like. Of course, we evaluated SuSe Desktop Enterprise and RedHat Desktop. Samba 4.0 promises the server side, however nothing for desktop lockdown. And while gnome gconf does offer promise, no real tools for remotely managing 300 desktops running gnome + gconf exist. All the options listed above are expensive, in fact so expensive that it's cheaper to leave M$ on! So while we've figured out the Office suite, email client, browser, VPN, drawing tools, and pretty much everything else, there seems to be no reasonable, open source alternative to locking down Linux terminals to comply with company policies. We're not looking for kiosk mode — we're looking for IT policy enforcement across the enterprise. Any ideas ladies & gentlemen?"

Puppet

[BSAtHome]

Use puppet to enforce configuration: http://reductivelabs.com/products/puppet/

Re:Puppet

[binner1]

I was going to say CFEngine, but that's only because it's what I'm currently using. I'd love to move to puppet but at the time we deployed CFEngine, puppet wasn't ready for all the things we needed it to do (windows and solaris in addition to linux)...this has likely changed now, but we've got a lot of cf scripts that would need conversion.

Whichever tool is chosen (there are others in this space too), I believe this is the correct answer. I know that CFEngine scares a lot of people off (and maybe puppet does too?), but it is an excellent way to manage a large set of hosts.

-Ben

Mittens!!!

[RecursiveLoop]

Issue everyone Mittens!!!! They are relatively cheap and make it oh so hard to type terminal commands when worn.

Is Samba 4 ready?

[ikirudennis]

from the FAQ:

Can I use Samba 4 on my production server right now? No. Samba 4 is still under heavy development. Samba 4 is not due to replace Samba 3 soon. Many of the required core features are present, but the code is still alpha and user tools as well as some core features are still missing.

dumb terminals?

[timmarhy]

if your talking about dumb terminals, your making me hot. sexy little gadgets with no fans or moving parts. in this instance you can lock down any of the major desktop environments by modifying their default user to have a really low level of user access , so when you create a new user it inherits these settings. gnome,kde and xfce all have this ability. and since they are terminals an logging into a central server management is dead easy.

if you are talking stand alone desktops then it's not so great. linux doesn't really have anything as good as group polices and active directory, it's part of the reason corperate networks are mostly windows.

What are you trying to do?

[Todd+Knarr]

I guess the first question is: what are you trying to accomplish? Are you trying to prevent users from installing additional software locally? Are you trying to insure that particular applications get particular preferences set and users are prevented from changing those settings? What? Just saying "lock down the desktops" doesn't say what you're trying to actually do.

Remember that Unix is, in large part, designed to work correctly without needing to be locked down. Much is controlled simply by the system-wide configuration files. The rest tends to be controlled on the server side, so that users simply can't do unacceptable things regardless of how they configure their local user account.

Re:What are you trying to do?

[mysidia]

(1) Don't install any solitaire program. Mount users' home directories noexec, don't give users root access. They won't be playing solitaire. This also prevents them from downloading solitaire off the web... blocking winsol.exe in Windows group policy doesn't stop any of this, and doesn't stop users from copying winsol.exe to some innocuous filename like C:\excel.exe

(2) iptables rules can be set to deny web access except through the proxy.

(3) Passing keys is just a single example of central config management, there are tools for this as well, like cfengine, bcfg2.

Re:What are you trying to do?

[mysidia]

Didn't I mention bcfg2? cfengine and bcfg2 are tools that is used to do just that, force tens of thousands of machines to comply with approved configurations, and remediate machines that don't, by making them match the approved configurations.

And yes, you can remove software, set iptables rules, distribute keys, etc, using pre-made open source software available for Linux.

Re:What are you trying to do?

[citylivin]

"Then how do we prevent people from bringing in USB printers from home and connecting them locally"

Id say if someone has to bring in their own printer, your company has bigger IT problems...

Indeed it is a problem

In linux world, there is yet to be a quick, 3 question and 1 button way to add the computer to a domain and then receive straight away:
- group policies - security and software install
- single password store (with cached passwords for notebooks that go away from the network)
- Patch update policy

The only thing linux does right is work on technologies such as DHCP that were written for OTHER unix O/S'.

Ubuntu is not interested in those things, they're more interested in making stories about koalas and hiding popup boxes.

Gnome is dead, Mono and moonlight took all their brains away.

kde is making a next-gen desktop but have yet to understand why so many IT shops have kept Windows at the office.

This is all depressing. Windoze will never be replaced at the current rate.

What lockdown do you need?

[whoever57]

A desktop where the user does not have su/sudo access is already pretty locked down -- the user can only write to his home directory and other directories that he/she has access to through normal permissions.

If you really want to lock it down, the user's home directory can be mounted in such a way that files cannot be executed from there.

What elso is required?

Re:How about: less douchebaggery?

[Registered+Coward+v2]

Instead of spending $$$ on bondage and discipline, how about treating your users like adult human beings?

Because a number of them will wind up installing aps that put the company at risk?

MOD PARENT UP

[serviscope_minor]

Mod parent UP. The OP is thinking about it wrong: ie how to manage unix in the style of windows. Don't give them root and they can't install software. Make sure the home directories an /tmp is moutes -noexec and there is NO WAY that they can run programs which aren't already installed.

Now they can have free run of the system and can't do anything harmful. Still not satisfied? Remove all executables that they shouldn't run, or make them a-rx g-rx, and don't have users in the group able to run them.

You can create an RPM to do this for you, then set up the whole thing automagically using Redhat's or SUSE's tools (one is called kickstart). I suspect it is straightforward on debian based systems, too.

If you have the autoupdater running (good for security), then update the setup RPM, put it in your local repository, and sit back as all the desktops get updated with new settings.

Alternatively, you can bodge it with shell scripts and a cron job :-)

 

Re:MOD PARENT UP

[binner1]

While I _mostly_ agree with this, a nice policy management (configuration management mostly) tool is also essential when dealing with lots of boxes. You want a new setting for all Gnome desktops, simply add it to the policy tool and let it distributed any required config files or run commands to change the setting, etc. This type of thing used to be done with things like: for h in $all_my_hosts; do ssh $h /tweak/some/setting; done

CFEngine and Puppet and friends are a nicer way of doing this. They're "self documenting" in that your write the code and then you can later very easily see when you added some configuration bits, etc...version control your configuration management scripts and you get even better tracking of who did what and when. (A side question: How does one do the version control type stuff in AD?)

While kickstart is great (I use it), it only goes so far. Having a policy manager on top of that (installed and configured in the kickstart) is a beautiful thing!

-Ben

Re:MOD PARENT UP

[magamiako1]

You kids still think that what the OP is asking for has anything to do with "preventing users from doing something harmful to the computer".

Get it out of your heads. Many of the things group policy can do has nothing to do with "security" or "preventing users" from doing anything. It has a lot to do with quickly standardizing departments, offices, rooms, or whatever your business structure is.

When you move a computer to a different department you simply drag the computer in AD to the different OU and BAM! That computer now gets everything new with its policies. There's no bringing the computer in to the IT department and reloading its configuration with "Configuration A for Department B".

Want to make a change to how a whole department does things? There's no pushing a script out later on to the whole department. You simply change it in group policy and the entire thing gets taken care of automatically.

You can spend more time focusing on actually getting shit done than fussing around with HOW to solve the problem with roundabout tool sets.

Re:MOD PARENT UP

[QuoteMstr]

This kind of stuff is why NFS-mounted home directories are just wonderful. If my machine kicks the bucket, I can grab a new one, install an OS on it, and get back to where I was before in half an hour. In a larger organization, an imaged system would work even better.

Now, as for mass configuration changes, cfengine is your friend.

Re:How about: less douchebaggery?

[RichardJenkins]

You think using technology to help enforce an IT policy and respecting your employees are mutually exclusive aims? I strongly disagree.

A small contingent of 'bad apples' can do serious harm if you do not effectively enforce IT policies. It's not possible to guarantee there is no one like this in your company, so you should protect the company and other staff from from them.

Respecting staff won't stop douchebags being douchebags and screwing up your systems.

Re:Mittens!!! I was going to say: Give everyone

[davidsyes]

Paws... Then they could have Caps Paws...

But, if Puppet offers tiered services, then you can evaluate the... Puppet Tiers (LOL)... Then controlling the employees simply becomes a matter of ... pulling strings...

Re:More information on what you want to lock down?

[man_of_mr_e]

Unfortunately, few people in the Unix world seem to grasp what Group Policy is used for in Windows.

It's not simply preventing users from installing software.

Group policy is a set of policies that gevern everything from security policies, to application policies (for instance, say you want all users in a specific AD OU to use a specific proxy server, or maybe you want to limit all computers in a given lab from being able to use an MSN Messenger.

GP can be assigned to specific computers, groups of computers, users, groups of users, and a whole host of situations. The nice thing about it is that it's AD wide, and controls the user or the computer regardless of where, or what may be installed on the machine or how it's configured locally.

Re:How about: less douchebaggery?

Doesn't work:

bash-3.2$ less douchebaggery
douchebaggery: No such file or directory
bash-3.2$

Re:This is linux's strength, actually

Or, am I missing something?

Yeah managing this for 300+ people in an environment that changes daily without spending your entire IT budget on admins and the sneakernet support staff.

despite our desire to act like open source is the cure for all ills this is the type of problem we need to solve. You MUST lock down some enterprise environments (or have a CEO who is willing to go to jail) and you MUST be able to manage this without breaking the company piggy bank. He's asking for solutions to these two requirements not how to keep ONE person on ONE desktop from doing ONE of the many forbidden things.

And as for the guy/gal who suggested we treat everyone nice and hope they act right. That's fine for your 10 person IT shop...not so much for a multi-billion dollar public company that needs public trust and investment and is governed by a whole mess of federal regulations in numerous national jurisdictions around the world.

Re:How about: less douchebaggery?

Have you ever met a sales person, or watched them try to use a computer? Seriously, watch them try to send a 500MB powerpoint presentation as an e-mail attachment, or ask for tech support on their limewire install, and marvel at the risk to your company.

LSD

[russlar]

Why not use LSTP? That way you only have to worry about whatever image(s) you keep on the server.

Better yet, use LSD! Then all you have to worry about is why those images are talking to you.

Re:How about: less douchebaggery?

[mysidia]

Vim supports a mode referred to as 'restricted' mode.

i.e. cp /usr/bin/vi /usr/bin/rvi

Give the user permission to run 'rvi' instead of permission to run 'vi'

Also, you needn't give root to do that; modern distros have these things called 'group permissions', or even ACLs.

You can create that user a special non-root user that they 'sudo' to in order to edit the config file, and an ACL permits just that particular user to edit the particular allowed config files.

Re:This is linux's strength, actually

[icebike]

Sneaker net?

This is linux. You do it all remotely, and you can build clone the machines pre-set up
exactly the way you want them.

This is not hard. But first you have to purge the microsoft mentality from your thinking.
Forget Sneakernet. Think more Fat-Ass net. Like me sitting here on my fat ass managing
a dozen machines for naive users located 1400 miles away.

You just never give users root access, and you set your permissions properly.
You can use SeLinux, AppArmor, or any number of free management tools that
all work remotely. You don't have to rely on everyone to act nice because
you can lock it down just as tight as you want.

If its a business, why not start with a business solution like Novell SLED.
Its made for the enterprise. And it locks down nicely.

None of this stuff is free in the windows world, but its all available
for free in the Linux world, OR you can pay for it and still save money
over Windows.

But there are free remote management utilities included with every Linux distro.
Its called ssh.

we leave our security to

[v1]

Locking Down Linux Desktops In an Enterprise?

We leave our security in the hands of Mr. Worf.

Re:You don't

[gbarules2999]

Let me try and predict this one: "[Problem they've randomly had in the last two years and didn't bother to research or bugfix] is the biggest issue in desktop Linux. The developers have lost touch because, for example, [anecdote that offers no valuable bug-ridding information, or even enough to replicate it], showing that [Problem] is still a big of a problem as it was four years ago. I've seen [however instances they've seen it, plus four] instances of this issue in my computer but also in other's, and it refuses to be fixed because Linux is simply put, not user-friendly or stable in the least bit. It's things like these that make me draw the conclusion that Linux is simply not ready for the desktop."

Re:More information on what you want to lock down?

[SaDan]

Unfortunately, few people in the Windows world seem to grasp that LDAP has been around for many years in the *nix world, and has all the functionality you would find in Group Policies when linked into PAM on the client side.

For a couple years, I maintained a company-wide network that supported unified "home" directories and unified login/password capabilities between Windows workstations, Linux workstations, and Solaris servers, all tied back to Fedora Directory Server. It was hell to set up, and sweet to watch in action.

Active Directory and Group Policies aren't bad for simple installations, but really turn into a mess quickly depending on your setup. LDAP and *nix systems that support PAM are a snap to set up, work fairly well and took significantly LESS time to get working properly than the Windows side did.

There's a lot of research that goes into setting up either side of the equation. Linux/Unix has been more ready for the "enterprise" desktop than Windows has, though, and that's a cold hard fact.

Re:How about: less douchebaggery?

"Like screen savers that try and install crap along with it, then there'll be all the support calls why isn't it working."

Using my remote control truth extractor, I can detect thoughts that are in your brain but not passed to your fingers on the keyboard. Combining your post with the truth extractor, I get the following:

"Treating adults like adults is good in theory, but when you have 300+ people trying to..."
Do their jobs
"...you want to take away as much..."
productivity
"...as possible." So we can feel like we are in charge of something. Even the little people need to feel big every so often. In order to keep our jobs, we need to make sure people need us. Thanks to lockdowns, they will.

Is that awesome technology or what?

Would you rather make people stop working and call the helpdesk when they need some kind of app that is (a) harmless and (b) freely available? And it's OK if they wait: 15 minutes? an hour? all day? So you can prevent a call from a guy who screws up the SCREEN SAVER???

Instead of making Mr. Screensaver wait in the queue because of his counterproductive antics, YOU MAKE EVERONE ELSE WAIT INSTEAD???

Such a strategy would only make sense if >50% of all calls were for unnecessary/unauthorized things. And IF that were true, then a lockdown would work so well that support staff could be cut, right?

Any wonder why IT departments are referred to as the "preventers of information services"???

What happens if they boot Knoppix from CD? Works pretty well in Windows shops as well. Lockdown the BIOS from CD boot? There are numerous published backdoor passwords; almost every BIOS has one.

BTW, this is a much bigger problem in Windows shops, where people tend to go crazy with pirated stuff, trial versions, spyware, and network bandwidth wasters -- all of which contribute to real risks and system instability. Taking away root access solves most of this in Linux, whereas in Windows it's the full employment act for the helpdesk unless you surrender to the draconian tradeoffs described above.