Locking Down Linux Desktops In an Enterprise? 904
supermehra writes "How do you move 300 desktops, locked down with Windows ADS Group Policies (GPO), over to Ubuntu desktop? We have tried Centrify, Likewise, Gnome Gconf, and the like. Of course, we evaluated SuSe Desktop Enterprise and RedHat Desktop. Samba 4.0 promises the server side, however nothing for desktop lockdown. And while gnome gconf does offer promise, no real tools for remotely managing 300 desktops running gnome + gconf exist. All the options listed above are expensive, in fact so expensive that it's cheaper to leave M$ on! So while we've figured out the Office suite, email client, browser, VPN, drawing tools, and pretty much everything else, there seems to be no reasonable, open source alternative to locking down Linux terminals to comply with company policies. We're not looking for kiosk mode — we're looking for IT policy enforcement across the enterprise. Any ideas ladies & gentlemen?"
Puppet (Score:5, Informative)
Use puppet to enforce configuration: http://reductivelabs.com/products/puppet/ [reductivelabs.com]
Is Samba 4 ready? (Score:5, Informative)
stay with ms (Score:0, Informative)
Stay with MS.
switchting to linux would mean: more work for you, more money spent and frustrated office workers.
What lockdown do you need? (Score:5, Informative)
A desktop where the user does not have su/sudo access is already pretty locked down -- the user can only write to his home directory and other directories that he/she has access to through normal permissions.
If you really want to lock it down, the user's home directory can be mounted in such a way that files cannot be executed from there.
What elso is required?
Re:Security-Enhanced Linux (Score:5, Informative)
Huh? Its unix (Score:5, Informative)
If you just manage the users properly and NFS mount applications it almost takes care of its self and don't need an extra layer of complexity.
use PXE+XDMCP and the workstations be come irrelevant
Re:Puppet (Score:5, Informative)
I was going to say CFEngine, but that's only because it's what I'm currently using. I'd love to move to puppet but at the time we deployed CFEngine, puppet wasn't ready for all the things we needed it to do (windows and solaris in addition to linux)...this has likely changed now, but we've got a lot of cf scripts that would need conversion.
Whichever tool is chosen (there are others in this space too), I believe this is the correct answer. I know that CFEngine scares a lot of people off (and maybe puppet does too?), but it is an excellent way to manage a large set of hosts.
-Ben
Pessulus (Score:3, Informative)
What's wrong with that?
Re:You don't (Score:2, Informative)
And that stops users from downloading and running applications how?
There is a lot more to locking down desktops in enterprises than not giving users admin rights.
Re:What lockdown do you need? (Score:5, Informative)
What elso is required?
The ability to quickly and easily set it all up on all machines on the network at once, and to change permissions later with equal ease, without having to ssh into each and every machine on the network.
Re:You don't (Score:4, Informative)
Re:How about: less douchebaggery? (Score:3, Informative)
You can't install apps without root.
You can't get root without proving your competence and signing an agreement that says you will only install apps that have been approved.
It changes from being a "lockdown the desktop" problem, to an "unlock the desktop for people who absolutely need it, and closely monitor their activities" problem.
Re:More information on what you want to lock down? (Score:5, Informative)
Unfortunately, few people in the Unix world seem to grasp what Group Policy is used for in Windows.
It's not simply preventing users from installing software.
Group policy is a set of policies that gevern everything from security policies, to application policies (for instance, say you want all users in a specific AD OU to use a specific proxy server, or maybe you want to limit all computers in a given lab from being able to use an MSN Messenger.
GP can be assigned to specific computers, groups of computers, users, groups of users, and a whole host of situations. The nice thing about it is that it's AD wide, and controls the user or the computer regardless of where, or what may be installed on the machine or how it's configured locally.
Re:What are you trying to do? (Score:5, Informative)
(1) Don't install any solitaire program. Mount users' home directories noexec, don't give users root access. They won't be playing solitaire. This also prevents them from downloading solitaire off the web... blocking winsol.exe in Windows group policy doesn't stop any of this, and doesn't stop users from copying winsol.exe to some innocuous filename like C:\excel.exe
(2) iptables rules can be set to deny web access except through the proxy.
(3) Passing keys is just a single example of central config management, there are tools for this as well, like cfengine, bcfg2.
Re:What lockdown do you need? (Score:3, Informative)
The ability to quickly and easily set it all up on all machines on the network at once, and to change permissions later with equal ease, without having to ssh into each and every machine on the network.
That's a job for cfengine/bcfg2 or puppet, and a couple scripts to maintain exactly what you want. There are tools that can do this sort of thing very well.
And you can also easily set it up so you can detect if a system has fallen out of compliance for some reason, and possibly send you an e-mail.
Windows group policy just silently re-imposes itself, without sending you any notice at all, that somehow a setting got changed in a way that violates the policy.
gpo and lockdown... (Score:1, Informative)
I suspect that a lot of the people responding don't have a lot of experience working with GPO and active directory, for instance. In a *nix solution, the OP would need:
1. User management. This means a centrally managed server where you can query and change all user attributes and permissions. This means from this central server, you would be able to activate, delete, or inactivate a user across the enterprise with one click.
2. Active Directory Services equivalent. A carry over from part 1, instead of using local /etc/passwd /etc/shadow, it has to utilize a central logon system. Passing huge lists of users/passwords around to every workstation, even over secure tunnels with cron is bad form. And it will not update automatically whenever a change on the server mentioned in point 1 is made, you'll have to wait for the next cron / push.
3. Granular control of users. Consider two users logging into one terminal. One user has unfettered outbound network capability, for instance this user can create smb connections, connect to ssh services on other machines, and browse the net. The second user should have GUI access to applications only and not be able to browse the web, but can create smb connections to allow file sharing.
Something like above... its not a simple matter of protecting the system, but the ability to segregate users with a central management system.
Re:How about: less douchebaggery? (Score:5, Informative)
Vim supports a mode referred to as 'restricted' mode.
i.e. cp /usr/bin/vi /usr/bin/rvi
Give the user permission to run 'rvi' instead of permission to run 'vi'
Also, you needn't give root to do that; modern distros have these things called 'group permissions', or even ACLs.
You can create that user a special non-root user that they 'sudo' to in order to edit the config file, and an ACL permits just that particular user to edit the particular allowed config files.
Re:This is linux's strength, actually (Score:5, Informative)
Sneaker net?
This is linux. You do it all remotely, and you can build clone the machines pre-set up
exactly the way you want them.
This is not hard. But first you have to purge the microsoft mentality from your thinking.
Forget Sneakernet. Think more Fat-Ass net. Like me sitting here on my fat ass managing
a dozen machines for naive users located 1400 miles away.
You just never give users root access, and you set your permissions properly.
You can use SeLinux, AppArmor, or any number of free management tools that
all work remotely. You don't have to rely on everyone to act nice because
you can lock it down just as tight as you want.
If its a business, why not start with a business solution like Novell SLED.
Its made for the enterprise. And it locks down nicely.
None of this stuff is free in the windows world, but its all available
for free in the Linux world, OR you can pay for it and still save money
over Windows.
But there are free remote management utilities included with every Linux distro.
Its called ssh.
Re:MOD PARENT UP (Score:5, Informative)
This kind of stuff is why NFS-mounted home directories are just wonderful. If my machine kicks the bucket, I can grab a new one, install an OS on it, and get back to where I was before in half an hour. In a larger organization, an imaged system would work even better.
Now, as for mass configuration changes, cfengine [cfengine.org] is your friend.
Re:Puppet (Score:3, Informative)
Yes, Puppet and CFEngine look like the modern solution.
At our small office (up to 10 desktops), we use Fedora (from Core 6 to 9), plus NIS+NFS+autofs for user account+directory file management, installed from a centralized DHCP+PXE+NFS+Kickstart installation.
Then we have our own home-brewed root crontab scripts (deployed by kickstart post-install) that:
- replaces local files from centralized versions (some are just text files, others are sym-links, others are firefox plugins - like Adobe's flash player).
- install specific binaries from our own yum repositories, and keeps the local package list consistent with central configuration listings
(which is also used for the initial kickstart
installation).
But if we started again today, we would also have gone for puppet or cfengine for post-install configuration management.
Nevertheless, we face many problems with: .lock file removal .lock file removal
- OpenOffice files locked over NFS (not to mention that frequent OpenOffice MS-Office format interchange suffers from several problems).
- thunderbird crashes requiring expertise for
- firefox crashes requiring expertise for
- non-technical users always finding new ways to download and install software on their home dirs that behaves badly over NFS.
Joao (at http://www.pdmfc.com/english)
Re:What are you trying to do? (Score:5, Informative)
Didn't I mention bcfg2? cfengine and bcfg2 are tools that is used to do just that, force tens of thousands of machines to comply with approved configurations, and remediate machines that don't, by making them match the approved configurations.
And yes, you can remove software, set iptables rules, distribute keys, etc, using pre-made open source software available for Linux.
Re:What are you trying to do? (Score:3, Informative)
Custom kickstart with all the required configurations, and some basic configuration management software, makes it -extremely- easy to manage. The requirement is having an admin that knows how to set it up correctly in the first place.
Lock out root accounts, mount user home directories from a separate partition/disk/network share and you can even reinstall the base OS without touching their files. Any decent configuration management software (there are a lot of choices) would also allow IT to add rpms or make individual config changes on each user's machine by adding a line to a script or a file to a host-specific directory. Even easier to track who's running what, or who has a weird setup. And if the box explodes or they break something, it can be rebuilt to the same configuration in like 15 minutes.
Again, this is all with an admin that knows how to manage this. That's where you hit the problems, and that's why Linux is probably not appropriate for corp IT currently. There aren't enough people that can manage it well, and those that can will probably have better jobs than planning out desktop migrations.
Re:You don't (Score:3, Informative)
How's about I set up iptables to disallow any incoming connections then?
That would slow your relay down. And how are you going to DoS whenyou don't have access to netcat, any compilers or interpreters? Hell, I could stop you even running an xterm...
You can do any/all of these things from windows too. I have yet to see a machine that could do anything useful at all that I couldn't also download and then run PuTTY on.
Re:What are you trying to do? (Score:4, Informative)
The problem with making things idiot proof is you generate a better class of idiot.
As to the problem at hand, there are tons of things you can do to keep users out of trouble. Biggest one is, keep them from accessing sudo. Easiest way to do that is, create an 'admin' account on the machine before generating user accounts. Only the first user account on a Ubuntu machine has sudo access automagically. Additional users need to be added manually to the sudo group. Remove any and all software that you don't need. What those software pieces are would depend on your application. Then add the necessary maintanance scripting run as cron jobs, things like apt. Edit the /etc/apt/sources.list to restrict repositories. What I'd do then is, recut a master CD using Ubuntu Customisation Kit [sourceforge.net] so you have a 'standard' install, and set up an inhouse repository for updates, fed from the inhouse server. Since the workstations only look at the inhouse repository, they should only be able to install from the local server. And if they're locked away from apt, that shouldn't be a problem.
Re:MOD PARENT UP (Score:3, Informative)
This is just wrong. Even in the Windows world. You don't need to be root to "install" a program (and what is with the "install" mentality anyhow?) Someone can happily place a binary in their home directory, or /tmp, or wherever they have write permissions and run it (note the next paragraph).
And relying on noexec? /usr/bin/perl is usually executable, as is /usr/bin/php, /placeyourfavoriteinterprethere and can run any script you tell it to regardless of the noexec bit on the partition you mounted. For that matter, there's always ld.so, ld-linux.so, ld-linux-x86-64.so or whatnot (depending on your Linux distribution and hardware) if you want to load a binary (/lib/ld-linux-x86-64.so.2 binarynamehere). And note, ld.so will bypass any noexec bit on a partition (and also don't care if the binary is set executable or not)
group policy is NOT just security (Score:1, Informative)
The amount of people here that just don't get it is truly astonishing, especially for a supposedly IT savy crowd. IT policy enforcement is not all about locking the users out or preventing them from doing damage. No it is not good enough to have a network policy that prevents them from using the wrong proxy or not giving them access to change programs through a nicely locked down image, no you can't just trust the users to do the right thing or act like adults (many of them don't).
Group Policy lockdown and management is about flexibility and enforcement of a potentially constant CHANGING policy without the users having to do anything (sometimes idiotic management policy). Today X users need these 10 apps, tomorrow that department is renamed and needs these 15 apps instead and to point off to this proxy server or that printer, next week 4 of those users move to department Y but still keep the same computers and need all the new departments policy, all incredibly simply things to do with Group Policy and incredibly complex without a lot of work with *nix desktops.
It seems people here confuse AD policy lockdown with security, security is just one small part of it and if that is what you focus on YOU FAIL.
Re:Indeed it is a problem (Score:3, Informative)
Group policies? What do you mean by that? All accesses to read, write or execute are handled by regular unix permissions or ACLs.
UNIX permissions are controlled by groups, group definitions are made available by means of a directory service.
Access toa given machine? Password file, or pasword table in a name service.
Single password? NIS+ or kerberos. Cached password in a laptop? Are you mad? Use a damn token that generates one time passwords.
Patch update policy? Make a repository with the latest packages to be installed, run a cron on each machine that installs these patches in a regular basis.
All of the above (and more) can be done in any Linux, Ubuntu included.
So what is your point exactly?
Oops! There's that REALITY again... (Score:4, Informative)
What you are forgetting is that most companies, especially large companies ARE boring places staffed by a high percentage of mediocre people. Large organizations have a large amount of administrative overhead, and the vetting process is long, convoluted, and inefficient. It's just the nature of the beast.
1) IT staffed by control freaks? Well duh! It's the only way they can appear to be doing something and not getting their asses handed back to them if anything goes wrong...
2) Trust? How much do YOU trust people you know just barely well enough to remember their name? And anytime you get more than 5 people together, they start grouping up and taking sides. Disputes soon follow. Care to guess what it's like when there are 500?
3) Hiring standards? Have you seen who applies to Monster.com ads? As an employer, I can say the domain name is appropriate...
4) unrealistc expectations... It's often hard enough to simply establish expectations at all. 5) Morale? You want to talk about morale!?!? Large companies spend months rolling out big updates like using actual coffe in the coffe makers at their 2,000 store fronts, or on 6 month programs toget locations to clean their bathrooms. Wait until you spend a man-week working yer ass off because somebody didn't know what 'historic' meant, only to find you didn't need to do anything at all. Then see what your morale is like.
6) Unmotivated employees? Your average wage slave is motivated by a desire to do as little as possible and not get yelled at.
Go work at/for/with some large organizations sometime. You'll see why Dilbert is so popular - not because it's quirky and off-beat but because IT'S TRUE!
Re:What are you trying to do? (Score:3, Informative)
Then how do we prevent people from bringing in USB printers from home and connecting them locally?
Remove them from the plugdev group (or whatever group the HAL daemon requires users to be in), and do like domatic suggests and write some *very* restrictive udev rules.
And you still haven't described how to block installing Lockjaw/Gnometris/KSirtet "just for me".
Mysidia covers this (among other things) in this comment:
http://slashdot.org/comments.pl?sid=1154635&cid=27129011 [slashdot.org]
Mount /home and /tmp (and other world-writeable directories) with noexec. BAM, 99% of users won't be able to *run* installers that weren't installed by an administrator. :)
Re:Indeed it is a problem (Score:3, Informative)
> In linux world, there is yet to be a quick, 3 question and 1 button way
> to add the computer to a domain and then receive straight away:
And I'm glad there isn't. Because it would get in the way of the old established, simple way to do those things.
> - group policies - security and software install
If the machine didn't need a package installed it should not be installed. Then you don't need to worry about a policy to prevent it from running. Not installed is more secure than trying to prevent it from running.
> - single password store (with cached passwords for notebooks that go away from the network)
NIS anyone? Granted I haven't dealt with notebooks that enter and leave, can someone else fill in how that works?
> - Patch update policy
If you don't trust your distro's patch update policy enough to enable auto updates then it is simple enough to establish a local one and set your machines to update from it. Then you can test every upstream update before you unleash it onto your network. And you probably want a local repo anyway just to save network bandwidth and to have a place to put locally created or modified packages.
> Ubuntu is not interested in those things, they're
That's the impression I get as well. Ubuntu does make a nice standalone desktop that a lot of people manage to get installed on their own though. But guess what, Ubuntu != Linux. If you are wanting Enterprise level features you might want to consider one of the distributions marketed to the Enterprise environment. XP Home doesn't work all that well in the Enterprise either ya know.
Re:What are you trying to do? (Score:1, Informative)
And yet, all this is just a distraction from the fact that this type of task is MUCH EASIER to do in a Windows environment than a Linux environment... I thought Linux was the "more powerful" OS?
(Actually, the "doing this is a bad idea" is a pretty common response from Linux fans when confronted by something their OS doesn't do well, or at all. It's really quite annoying, because it distracts from the real issue: Linux isn't as powerful as Windows, despite the open source philosophy.)
Nice catch on the whole cop-out.
Of course if it was someone asking how they could clean a major infestation of malware off of 300 Windows desktops and then prevent such an infestation from occurring again the response would be along the lines of:
"Why the hell didn't you have it totally locked down in the first place? What kind of admin lets their users download whatever they want? The only thing they should get to choose is a new password every week. You should switch to Linux and this sort of thing wouldn't happen."
Re:What are you trying to do? (Score:2, Informative)
Yes.. which is why using group policy to 'block' application execution is kind of silly, it throws away useful information, that management could use to make better decisions.
It's much better to 'monitor' unusual activity and send automated e-mails to their boss, when they run a program like 'winsol' from their home directory.
If they have a really good reason, they'll be able to answer the questions that it causes to be asked of them.
Re:You don't (Score:4, Informative)
Guess what? noexec doesn't do jack shit on the majority of Linux systems, and does not prevent anybody from running a. You know why? /lib/ld-linux.so.2. (On x86_64, there's also /lib64/ld-linux-x86-64.so.2.)
Oh really? Seeing how mmap(2) requires the PROT_EXEC flag to make segments executable in the MMU, and checks those flags against the mode of the i-node, I found that hard to believe, and have it a try. These are the results:
Re:How about: less douchebaggery? (Score:5, Informative)
Which is not the same as 'sudo rvi'. You can set sudo to only allow certain commands, so if you allowed 'sudo rvi', you couldn't run 'sudo ~/vi'.
sudo filters by the command executed (I've seen things restricted to full command line - i.e. sudo killall -HUP ircd but not sudo killall ircd).
Re:This is linux's strength, actually (Score:4, Informative)
Adn how long would it take me to SSH into 40,000 desktops to update Adobe Reader 8 to Adobe Reader 9, because there is some new feature that someone decided we just have to implement?
How long to copy the browser link to 40,000 desktops to comply with a mandatory ethics reporting plan we had to put in place? How long to patch 40,000 kernels for a security hole that must be resolved within 72 hours due to Corporate Information Security policy?
you guys that complain about heavy handed IT policies don't realize, that we don't even drive a lot of this stuff. If it was an IT idea, no one would ever give us the money we need to buy these tools. It's all driven from the top down.
Perhaps you've never heard of cssh [sourceforge.net]?
I use it to patch and update ~ 15 linux machines at the same time--in about 3 minutes. Patching a comparative number of Windows servers takes 30 minutes and a reboot.
In all seriousness though, cssh might not work so well for 40,000 machines. You'd probably have to have a 70 inch monitor...
Re:How about: less douchebaggery? (Score:3, Informative)
Installing a pre-packaged app is difficult without su privileges, but you can easily build something in a directory that you can set files to executed.
Group policy in Windows is about stopping casual users from breaking policy too easily. Experienced professionals have means to circumvent protections on their workstations.
You can't easily build a thing without compilers, esp. when your home directory is on a filesystem mounted NOEXEC, so you can't run binaries from it.
And Esp. when disk quotas are in place, such that large binaries would set off alerts, and get sysadmins probing around to find out why you suddenly got a few hundred megs of .o files in your directory.
If you're concerned about users compiling their own binaries, then you should be just as concerned about them booting their systems from a CD or USB stick, or opening the case, swapping out the hard drive, or booting single user and gaining root, and goofing off in an OS you have no control over.
Re:M$ (Score:2, Informative)
The only supported product in Windows XP's family is named "Windows XP SP3" and was released less than 1 year ago.
Redhat and Ubuntu will update your system to the latest version (think Vista in MS land) for the same price of the SP3 update to a legacy OS. (The price is "free", btw).
Regards,
Re:This is linux's strength, actually (Score:4, Informative)
cssh is great for a handful of computers, but for the 40,000 boxen, try cfengine [cfengine.org]
Re:What are you trying to do? (Score:4, Informative)
Or, Trolly McSourface, if you read the myriad of other responses, it works just fine. Simply don't install games in the default OS install (trivial), and mount the filesystems as noexec (can you even do that in Windows, your oh so powerful OS? Not that I'm aware of...). Done.
And yeah, that doesn't make it any less of a dumb idea.
In windows, the user just downloads some stupid solitaire off the web, or brings one from home that or something that doesn't require installation.
Re:MOD PARENT UP (Score:2, Informative)
Err, you can still run interpreted programs on a filesystem mounted noexec:
~$ python myprogram.py
A sufficiently clever user could use an interpreter to write his own dynamic linker and thereby run binaries too.
No he cannot, as he cannot write that interpreter to a place where it can be executed.
Besides, such an interpreter already exists on your system and is called /lib/ld.so or one of its newer names. Note that trying to do this trick doesn't work, as your linker then needs to mmap this code with PROT_EXEC which is not allowed for files residing in a noexec mounted fs.
Re:What are you trying to do? (Score:3, Informative)
Actually, the "doing this is a bad idea" is a pretty common response from Linux fans when confronted by something their OS doesn't do well, or at all
Well 17 comments [slashdot.org] in one thread desperately trying to excuse the Vista UAC whitelist exploit here two days ago show your not above a bit of unapologetic hand waving yourself (when it suits). And now here you are trying to say other people making excuses are annoying.
Yes, yes they are. Hypocrites are much much worse though.
Not to mention you must have missed the 10 comments in this thread currently at +5 explaining exactly how to stop people running unwanted programs in Linux. And the two comments at +4 explaining how to easily circumvent application 'lockdown' (lol) on a Windows box.
You're Missing the Point (Score:3, Informative)
It's not just about "locking down" the desktop; this is quite easy in just about any OS, the real issue here is top-to-bottom manageability.
So yes, specific security requirements is part of that.
Now say for example you want to push out the new OpenOffice to all of accounts department only...and assuming no deployment problems, sales, and R&D too.
Next, patching. Show me all machines that haven't patched $NameOfPatchHere you deployed to the company a few weeks after it was made available to the world (giving enough testing time to be sure there's no reports of anything breaking online first).
Next, branding. The company changes name; merges with another. You want all reference of $COMPANY_X changed to $COMPANY_Y; screensavers, wallpapers, etc, etc. Rebuilding each machine image isn't an option.
Next; security. You want to open an incoming port on every local firewall for a new teleconferencing system...but only for R&D. By default all non MS-AD ports are sealed off.
Windows AD does all of this in about 2 clicks per above need. Doesn't matter if you have 5 clients of 5000.
Re:This is linux's strength, actually (Score:3, Informative)
Where do you people work. (Score:1, Informative)
Everyone is treating this question like it is a joke. I guess none of you work in a e-comm environment. I say this because none of you apparently have not herd of PCI compliance. To be PCI compliant you need to lock desktops down. Things like usb write access, ftp ability to the outside world, and no local admin access for non-admin employees. So before you start typing ignorant statements about how dumb this is know your facts.
Re:M$ (Score:2, Informative)
"No, they're not. At least not in any comparable form."
I guess you have to define 'comparable form' since the entire OS and updates are available as white box ....
The updates are available. You can pay for quicker access and to use certain tools, but it is open source software, after all.