Catch up on stories from the past week (and beyond) at the Slashdot story archive

 


Forgot your password?
Close
typodupeerror
×
Businesses Software Linux IT

Locking Down Linux Desktops In an Enterprise? 904

Posted by kdawson from the just-the-policy-ma'am dept.
supermehra writes "How do you move 300 desktops, locked down with Windows ADS Group Policies (GPO), over to Ubuntu desktop? We have tried Centrify, Likewise, Gnome Gconf, and the like. Of course, we evaluated SuSe Desktop Enterprise and RedHat Desktop. Samba 4.0 promises the server side, however nothing for desktop lockdown. And while gnome gconf does offer promise, no real tools for remotely managing 300 desktops running gnome + gconf exist. All the options listed above are expensive, in fact so expensive that it's cheaper to leave M$ on! So while we've figured out the Office suite, email client, browser, VPN, drawing tools, and pretty much everything else, there seems to be no reasonable, open source alternative to locking down Linux terminals to comply with company policies. We're not looking for kiosk mode — we're looking for IT policy enforcement across the enterprise. Any ideas ladies & gentlemen?"
This discussion has been archived. No new comments can be posted.

Locking Down Linux Desktops In an Enterprise? More

Locking Down Linux Desktops In an Enterprise?

Comments Filter:

  • Mittens!!! (Score:5, Funny)

    by RecursiveLoop ( 1264802 ) on Monday March 09, 2009 @08:03PM (#27128573)
    Issue everyone Mittens!!!! They are relatively cheap and make it oh so hard to type terminal commands when worn.

  • Re:Security-Enhanced Linux (Score:2, Funny)

    by Zsub ( 1365549 ) on Monday March 09, 2009 @08:17PM (#27128719)

    Did you _have_ to wave your hand in that suggestive manner, as if - SELinux is not what he is looking for. Move along.

    And it indeed appears to me that it is not what he is looking for.

  • Back in the old days ... (Score:3, Funny)

    by PPH ( 736903 ) on Monday March 09, 2009 @08:30PM (#27128859)

    ...we just used a script that called useradd pointing to the appropriate skeleton directory and then called chown/chmod to keep people from modifying the rc files in their home directories.

    Really smart users can probably find a way around this. But then at a company I used to work for, we could never lock down Windows NT to keep the shop floor mechanics from setting the wallpaper to a Pamela Anderson, Tommy Lee photo. So I guess its all relative. You may need users that are dumber than a high school dropout welder.

  • Paws... Then they could have Caps Paws...

    But, if Puppet offers tiered services, then you can evaluate the... Puppet Tiers (LOL)... Then controlling the employees simply becomes a matter of ... pulling strings...

  • Re:How about: less douchebaggery? (Score:5, Funny)

    by Anonymous Coward on Monday March 09, 2009 @08:41PM (#27128979)

    Doesn't work:

    bash-3.2$ less douchebaggery
    douchebaggery: No such file or directory
    bash-3.2$

  • Re:policies (Score:3, Funny)

    by Herkum01 ( 592704 ) on Monday March 09, 2009 @08:48PM (#27129043)

    Keep employees from installing software unless your an upper level executive who needs a business level package. You know, like Solitaire, their favorite screen saver, a program that will display files (like naked_britney_spears.zip.exe) they get in email.

    You know, the policy that says I am too special to actually follow the rules...

  • LSD (Score:5, Funny)

    by russlar ( 1122455 ) on Monday March 09, 2009 @09:00PM (#27129139)

    Why not use LSTP? That way you only have to worry about whatever image(s) you keep on the server.

    Better yet, use LSD! Then all you have to worry about is why those images are talking to you.

  • Re:How about: less douchebaggery? (Score:3, Funny)

    by hummassa ( 157160 ) on Monday March 09, 2009 @09:05PM (#27129199) Homepage Journal

    No, au contraire. The following policy _will_ guarantee that users will act like adult human beings:

    We will take a peep at your files randomly and fire you without severance the first time we find something we don't like. Period.

  • Re:What are you trying to do? (Score:3, Funny)

    by Darkness404 ( 1287218 ) on Monday March 09, 2009 @09:05PM (#27129205)
    Yes but considering this is enterprise, we can assume that people either A) Know what they are doing B) Know not to mess with things they don't know what they do or C) Have a nice IT staff that can fix some of the mistakes they make.

  • Re:How about: less douchebaggery? (Score:3, Funny)

    by Architect_sasyr ( 938685 ) on Monday March 09, 2009 @09:07PM (#27129221)
    You learn something new every day! That said, I just typed "ln -s /bin/rvi ~/vi ; ~/vi" on my CentOS box (only one nearby, had rvi in it already which had previously denied me a shell) and voila, back to my root prompt. ACL's, however, are quite excellent at circumventing the issue, and are to be applauded. 9/10ths of administrators aren't going to want to mess around with them though, trusting to the "power of the sudo" as they do so often. Still, thanks for pointing out rvi - makes that old saying true: "Everytime you see someone else use vi, you learn something new".

  • Re:How about: less douchebaggery? (Score:2, Funny)

    by Anonymous Coward on Monday March 09, 2009 @09:12PM (#27129255)

    Hmmm, works for me:

    $ less douchebaggery
    mr_bubb blows goats
    douchebaggery (END)

  • 2009 is the Year of Linux on the Desktop (Score:3, Funny)

    by mrroot ( 543673 ) on Monday March 09, 2009 @09:29PM (#27129375)
    I'm glad this question came up. I read somewhere that 2009 was going to be the year of Linux on the desktop.

  • we leave our security to (Score:5, Funny)

    by v1 ( 525388 ) on Monday March 09, 2009 @09:29PM (#27129379) Homepage Journal

    Locking Down Linux Desktops In an Enterprise?

    We leave our security in the hands of Mr. Worf.

  • Re:You don't (Score:5, Funny)

    by gbarules2999 ( 1440265 ) on Monday March 09, 2009 @10:07PM (#27129675)
    Let me try and predict this one: "[Problem they've randomly had in the last two years and didn't bother to research or bugfix] is the biggest issue in desktop Linux. The developers have lost touch because, for example, [anecdote that offers no valuable bug-ridding information, or even enough to replicate it], showing that [Problem] is still a big of a problem as it was four years ago. I've seen [however instances they've seen it, plus four] instances of this issue in my computer but also in other's, and it refuses to be fixed because Linux is simply put, not user-friendly or stable in the least bit. It's things like these that make me draw the conclusion that Linux is simply not ready for the desktop."

  • Re:MOD PARENT UP (Score:3, Funny)

    by syousef ( 465911 ) on Monday March 09, 2009 @10:42PM (#27129991) Journal

    Mod parent UP. The OP is thinking about it wrong: ie how to manage unix in the style of windows. Don't give them root and they can't install software. Make sure the home directories an /tmp is moutes -noexec and there is NO WAY that they can run programs which aren't already installed.

    Now they can have free run of the system and can't do anything harmful. Still not satisfied? Remove all executables that they shouldn't run, or make them a-rx g-rx, and don't have users in the group able to run them.

    Much easier, just remove the computer from their desktop. I would suggest replacing it with pencil and paper but there's every chance the employee might take up sketching and then of course the universe would fall apart.

  • Re:How about: less douchebaggery? (Score:4, Funny)

    by Tuoqui ( 1091447 ) on Monday March 09, 2009 @11:29PM (#27130323) Journal

    You've already installed Linux. I doubt they can install anything on there that would be a problem, not without gunning for your job that is.

  • Re:This is linux's strength, actually (Score:4, Funny)

    by Gazzonyx ( 982402 ) <scott,lovenberg&gmail,com> on Tuesday March 10, 2009 @02:00AM (#27131233)
    Use a boot loader password.
    Disable CD/USB boot in BIOS or make the hard drive boot first(and password protect it... with clever users, lock the box so no one can clear the CMOS).

    The bottom line though is that if someone has physical access to 'your' box, it's no longer yours. This applies to security as well as users. The only thing you can do is make the process so painful and bothersome that they decide it's not worth it.

    Speak softly and carry a big stick. Keeping a CAT5 cable that terminates to a power outlet is a good tool to have handy. Plug it in to the spot on the patch panel where the trouble user's connection is - they'll get the point after a couple of 'hardware failures' for their desktop. :)

  • You misunderstand... (Score:3, Funny)

    by jonaskoelker ( 922170 ) <`jonaskoelker' `at' `yahoo.com'> on Tuesday March 10, 2009 @05:51AM (#27132175)

    Who said anything about Microsoft? The name "M$" is clearly a regular expression, so he's running something which ends in "M".

    I'm guessing it's tfo$orciM.

  • Re:How about: less douchebaggery? (Score:3, Funny)

    by EatHam ( 597465 ) on Tuesday March 10, 2009 @07:52AM (#27132795)
    Instead of spending $$$ on bondage and discipline, how about treating your users like adult human beings? In real enterprises, there are call center people and sales people. Both groups of people can not be treated like adult human beings. To do so would be like asking a three year old what it wants for dinner. Sure, he's happy for a while, eating cookies and ice cream for dinner, but then you've got to deal with cleaning vomit off of everything, and 10 years later, he's getting his feet cut off from diabeetus.

Slashdot Top Deals

Lots of folks confuse bad management with destiny. -- Frank Hubbard

Close