Locking Down Linux Desktops In an Enterprise? 904
supermehra writes "How do you move 300 desktops, locked down with Windows ADS Group Policies (GPO), over to Ubuntu desktop? We have tried Centrify, Likewise, Gnome Gconf, and the like. Of course, we evaluated SuSe Desktop Enterprise and RedHat Desktop. Samba 4.0 promises the server side, however nothing for desktop lockdown. And while gnome gconf does offer promise, no real tools for remotely managing 300 desktops running gnome + gconf exist. All the options listed above are expensive, in fact so expensive that it's cheaper to leave M$ on! So while we've figured out the Office suite, email client, browser, VPN, drawing tools, and pretty much everything else, there seems to be no reasonable, open source alternative to locking down Linux terminals to comply with company policies. We're not looking for kiosk mode — we're looking for IT policy enforcement across the enterprise. Any ideas ladies & gentlemen?"
Mittens!!! (Score:5, Funny)
Re:Security-Enhanced Linux (Score:2, Funny)
Did you _have_ to wave your hand in that suggestive manner, as if - SELinux is not what he is looking for. Move along.
And it indeed appears to me that it is not what he is looking for.
Back in the old days ... (Score:3, Funny)
...we just used a script that called useradd pointing to the appropriate skeleton directory and then called chown/chmod to keep people from modifying the rc files in their home directories.
Really smart users can probably find a way around this. But then at a company I used to work for, we could never lock down Windows NT to keep the shop floor mechanics from setting the wallpaper to a Pamela Anderson, Tommy Lee photo. So I guess its all relative. You may need users that are dumber than a high school dropout welder.
Re:Mittens!!! I was going to say: Give everyone (Score:5, Funny)
Paws... Then they could have Caps Paws...
But, if Puppet offers tiered services, then you can evaluate the... Puppet Tiers (LOL)... Then controlling the employees simply becomes a matter of ... pulling strings...
Re:How about: less douchebaggery? (Score:5, Funny)
Doesn't work:
bash-3.2$ less douchebaggery
douchebaggery: No such file or directory
bash-3.2$
Re:policies (Score:3, Funny)
Keep employees from installing software unless your an upper level executive who needs a business level package. You know, like Solitaire, their favorite screen saver, a program that will display files (like naked_britney_spears.zip.exe) they get in email.
You know, the policy that says I am too special to actually follow the rules...
LSD (Score:5, Funny)
Why not use LSTP? That way you only have to worry about whatever image(s) you keep on the server.
Better yet, use LSD! Then all you have to worry about is why those images are talking to you.
Re:How about: less douchebaggery? (Score:3, Funny)
No, au contraire. The following policy _will_ guarantee that users will act like adult human beings:
We will take a peep at your files randomly and fire you without severance the first time we find something we don't like. Period.
Re:What are you trying to do? (Score:3, Funny)
Re:How about: less douchebaggery? (Score:3, Funny)
Re:How about: less douchebaggery? (Score:2, Funny)
Hmmm, works for me:
$ less douchebaggery
mr_bubb blows goats
douchebaggery (END)
2009 is the Year of Linux on the Desktop (Score:3, Funny)
we leave our security to (Score:5, Funny)
Locking Down Linux Desktops In an Enterprise?
We leave our security in the hands of Mr. Worf.
Re:You don't (Score:5, Funny)
Re:MOD PARENT UP (Score:3, Funny)
Mod parent UP. The OP is thinking about it wrong: ie how to manage unix in the style of windows. Don't give them root and they can't install software. Make sure the home directories an /tmp is moutes -noexec and there is NO WAY that they can run programs which aren't already installed.
Now they can have free run of the system and can't do anything harmful. Still not satisfied? Remove all executables that they shouldn't run, or make them a-rx g-rx, and don't have users in the group able to run them.
Much easier, just remove the computer from their desktop. I would suggest replacing it with pencil and paper but there's every chance the employee might take up sketching and then of course the universe would fall apart.
Re:How about: less douchebaggery? (Score:4, Funny)
You've already installed Linux. I doubt they can install anything on there that would be a problem, not without gunning for your job that is.
Re:This is linux's strength, actually (Score:4, Funny)
Disable CD/USB boot in BIOS or make the hard drive boot first(and password protect it... with clever users, lock the box so no one can clear the CMOS).
The bottom line though is that if someone has physical access to 'your' box, it's no longer yours. This applies to security as well as users. The only thing you can do is make the process so painful and bothersome that they decide it's not worth it.
Speak softly and carry a big stick. Keeping a CAT5 cable that terminates to a power outlet is a good tool to have handy. Plug it in to the spot on the patch panel where the trouble user's connection is - they'll get the point after a couple of 'hardware failures' for their desktop.
You misunderstand... (Score:3, Funny)
Who said anything about Microsoft? The name "M$" is clearly a regular expression, so he's running something which ends in "M".
I'm guessing it's tfo$orciM.
Re:How about: less douchebaggery? (Score:3, Funny)