Locking Down Linux Desktops In an Enterprise? 904
supermehra writes "How do you move 300 desktops, locked down with Windows ADS Group Policies (GPO), over to Ubuntu desktop? We have tried Centrify, Likewise, Gnome Gconf, and the like. Of course, we evaluated SuSe Desktop Enterprise and RedHat Desktop. Samba 4.0 promises the server side, however nothing for desktop lockdown. And while gnome gconf does offer promise, no real tools for remotely managing 300 desktops running gnome + gconf exist. All the options listed above are expensive, in fact so expensive that it's cheaper to leave M$ on! So while we've figured out the Office suite, email client, browser, VPN, drawing tools, and pretty much everything else, there seems to be no reasonable, open source alternative to locking down Linux terminals to comply with company policies. We're not looking for kiosk mode — we're looking for IT policy enforcement across the enterprise. Any ideas ladies & gentlemen?"
Re:You don't (Score:3, Interesting)
You know, as much as I agree with you, I wish it were not so.
More and more things are getting tied to a computer. Back in the early 1990s, a computer was generally used for number crunching and document managing. People (generally) did not use a computer to listen to music, watch a movie, meet people, or to stay in touch with one's friends.
Now people are using computers for all of these functions. It's important that things we need for daily living in the 21st century are not controlled by a single corporation with a known pattern of abusive behavior. Microsoft's latest abusive behavior--suing TomTom for having FAT32 support on their device--shows that the only thing stopping Microsoft from abusing their monopoly are antitrust laws and community activism.
This is why Linux needs to fix the issues that make Linux not a suitable desktop for end users, or why one of the other possible open-source desktop OSes (Haiku [haiku-os.org], Syllable [syllable.org], etc.) needs to become a suitable end-user desktop.
I use Windows right now instead of Linux because I don't feel Linux is ready for the desktop, but most of my partitions for "extra data" are formatted using the second extended filesystem (Linux's "base" stand file system) and read in Windows using ext2fsd [ext2fsd.com] because I don't want my data to be held hostage by Microsoft patents.
So, yes, I really want Linux to succeed.
- Sam
MOD PARENT UP (Score:5, Interesting)
Mod parent UP. The OP is thinking about it wrong: ie how to manage unix in the style of windows. Don't give them root and they can't install software. Make sure the home directories an /tmp is moutes -noexec and there is NO WAY that they can run programs which aren't already installed.
Now they can have free run of the system and can't do anything harmful. Still not satisfied? Remove all executables that they shouldn't run, or make them a-rx g-rx, and don't have users in the group able to run them.
You can create an RPM to do this for you, then set up the whole thing automagically using Redhat's or SUSE's tools (one is called kickstart). I suspect it is straightforward on debian based systems, too.
If you have the autoupdater running (good for security), then update the setup RPM, put it in your local repository, and sit back as all the desktops get updated with new settings.
Alternatively, you can bodge it with shell scripts and a cron job :-)
Re:What are you trying to do? (Score:5, Interesting)
I admit I'm puzzled at the issue of "lockdown" myself.
For years whenever we needed to lock down a *nix account, the sysadmins would install the software as root and set up the user accounts in capture mode (i.e. .login starts the X session, and the X session doesn't have the ability to add/remove programs.)
I can't imagine needing to lock down a session any tighter than that, and I've never seen a Windows desktop that was locked down any tighter, either.
Re:What are you trying to do? (Score:5, Interesting)
All these can be enforced using control of the services. The problem statement reflects the Microsoft/Windows way of doing things. Turn it around and ask how the network can enforce the policies.
Proxy: the firewall can enforce this. Users don't use the correct proxy? No web access. Printers: Configure the printer to allow only certain users/groups, etc. etc..
Re:What are you trying to do? (Score:3, Interesting)
This was the idea that came in my mind as to a method of locking down desktops. I mean really, it's not that hard considering they won't be able to run a .deb or .rpm or whatever package they attempt once it's locked like that anyway.
It honestly surprises me this is a slashdot article asking for an answer that is as simple as you wrote.
Re:What lockdown do you need? (Score:3, Interesting)
A quickstart file to install the machine correctly in the first place, use the autoupdater to update based on your own repository, with custom RPMs to push out further changes. Or, have the machine run a crontab that runs a script from a network-accessible location periodically -- and that script can set up various permissions as required. Or, the script could be local, and rsync is used to push out updates to the script when required. rsync can be set up to use ssh with unencrypted keys allowing a secure root login with no requirement to type a password. There are lots of ways to do it.
Re:Huh? Its unix (Score:2, Interesting)
I would take a look again.
One of the features of ldap is you can restrict who has access to what part of the directory.
Though I will grant if mix environment you mean all the flavours on Unix that is quite the challenge.
Re:MOD PARENT UP (Score:4, Interesting)
I was going to post almost exactly this. .deb or .rpm archive, and making your desktops automatically check for updates at, say, 2am, will alleviate the rest of your problems. It's also quite easy to provide a virtual "our_enterprise" package that you can have depend on any local fixes or changes for your office.
If every directory your users can write to is mounted as noexec, and you don't do something boneheaded like giving them sudo access, they will be completely unable to install software. There'll be extra traps, like disabling flash to prevent most of the browser-based time wasters, but those can be managed reactively, and aren't nearly as likely to require a system re-image.
Transparent automatic proxies are negligibly simple to implement, for instance a pfSense box and a $300 PC. As a bonus, you can easily add web filtering and block things like Slashdot at work. As for printers, Avahi and cups setup can easily make finding and using printers secure and idiot-proof.
A local
The answers to subby's question are almost laughably simple.
Re:How about: less douchebaggery? (Score:5, Interesting)
You can't get root without proving your competence and signing an agreement that says you will only install apps that have been approved.
Sometime ask for permission to edit a config file for, say, a webserver to save the admin time. In fact, ask for vi permission because that's your favourite editor:
sudo vi /etc/httpd/httpd.conf
Password:
:sh
sh#
Just a random "trick" you can use to get around things like that. To OP:
I manage my 200-odd machines via ssh-keys and push scripts each night. It's not as pretty as a GUI, but I don't need pretty, I need functional. I keep a machine loaded with an accurate configuration of what should be out there, and every time I make a change on the test machine that I am happy with, I migrate it to the live machine, which pushes out the scripts. But I like the parents post theory anyway, despite what this post may have looked like.
Re:You don't (Score:4, Interesting)
Unless users are only given a restricted shell, what prevents them from writing applications in shell script and running them?
It's either a kiosk or a fully functional Universal Turing Machine...
Well, one way to do this is to mount the users home / groups with the noexec flag. Only the system partitions should be mounted with execute permissions, and the users shouldn't have any write privileges on them.
Re:MOD PARENT UP (Score:3, Interesting)
Use puppet. Not only can you configure policies and configuration, but you can _sanely_ manage software as well.
Re:What lockdown do you need? (Score:3, Interesting)
Have you evaluated the canonical commercial tools?
Re:What are you trying to do? (Score:3, Interesting)
Device entries can have permissions set on them and even the newer systems for autoconfiguring peripherals can have specific rules written for them or only add devices for specific users. If you want absolutely nothing to happen when a strange device is plugged in, that can be arranged.
Re:What are you trying to do? (Score:1, Interesting)
Oooh, this is by far my favorite, that's why I saved it for last. If you're to the point where you're seriously considering disabling solitaire, this reveals a number of things about the organization:
1) The I.T. staff and/or managers are unapologetic control freaks and perhaps even proud of it.
2) You don't trust your employees to actually be productive on their own.
3) Your hiring standards are probably pretty low.
4) You have unrealistic expectations of employee efficiency.
5) Morale must really be in the toilet already.
6) It's solitaire for fuck's sake, possibly the most boring game ever devised. If your employees are playing it instead of whatever they should be doing, that means they have no motivation to work, which means management should be the ones to get their lunchtime games taken away, not the employees.
And yet, all this is just a distraction from the fact that this type of task is MUCH EASIER to do in a Windows environment than a Linux environment... I thought Linux was the "more powerful" OS?
(Actually, the "doing this is a bad idea" is a pretty common response from Linux fans when confronted by something their OS doesn't do well, or at all. It's really quite annoying, because it distracts from the real issue: Linux isn't as powerful as Windows, despite the open source philosophy.)
Re:How about: less douchebaggery? (Score:5, Interesting)
"Like screen savers that try and install crap along with it, then there'll be all the support calls why isn't it working."
Using my remote control truth extractor, I can detect thoughts that are in your brain but not passed to your fingers on the keyboard. Combining your post with the truth extractor, I get the following:
"Treating adults like adults is good in theory, but when you have 300+ people trying to..."
Do their jobs
"...you want to take away as much..."
productivity
"...as possible." So we can feel like we are in charge of something. Even the little people need to feel big every so often. In order to keep our jobs, we need to make sure people need us. Thanks to lockdowns, they will.
Is that awesome technology or what?
Would you rather make people stop working and call the helpdesk when they need some kind of app that is (a) harmless and (b) freely available? And it's OK if they wait: 15 minutes? an hour? all day? So you can prevent a call from a guy who screws up the SCREEN SAVER???
Instead of making Mr. Screensaver wait in the queue because of his counterproductive antics, YOU MAKE EVERONE ELSE WAIT INSTEAD???
Such a strategy would only make sense if >50% of all calls were for unnecessary/unauthorized things. And IF that were true, then a lockdown would work so well that support staff could be cut, right?
Any wonder why IT departments are referred to as the "preventers of information services"???
What happens if they boot Knoppix from CD? Works pretty well in Windows shops as well. Lockdown the BIOS from CD boot? There are numerous published backdoor passwords; almost every BIOS has one.
BTW, this is a much bigger problem in Windows shops, where people tend to go crazy with pirated stuff, trial versions, spyware, and network bandwidth wasters -- all of which contribute to real risks and system instability. Taking away root access solves most of this in Linux, whereas in Windows it's the full employment act for the helpdesk unless you surrender to the draconian tradeoffs described above.
Re:You don't (Score:5, Interesting)
I think the point of the G...GP post was that you can't easily push this out remotely, and on Linux you have to write it, support it and debug it yourself, including all the niggly corner cases.
Frankly Windows has some cool Enterprise stuff that makes this easier.
It's worth noting that these policies aren't Microsoft deciding willy-nilly how you will use your computer. It's the Fortune 500+ companies, and their equivalents in Europe, Asia-Pac etc, who have requested this. They have very big wallets. They spend way more on MS than we do. And apparently some dorkwad once determined that allowing users to set their own desktop background wastes time and thus money, so they want to lock things down, protect themselves from lawsuits etc, and ensure they are paying people to work, not skive off typing long comments on /. ...
Ahem. As I was saying.
In these sorts of cases (desktop wallpaper, sound schemes), to me, the benefit is not time and money, it's the ability to avoid a lawsuit because Big Stu the ladies' man in the centre of the office decided to have some porno chick as his wallpaper and porno sounds for new emails et al. And the 30 women around him get offended and sue the company for letting him be a dickhead even though there's a clear policy in place.
Re:You don't (Score:5, Interesting)
That's a good point, but the kind of huge organization you mention will have in-house IT people who can that anyway, and I still think the advantage of a FOSS platform outweighs the relatively lack of ready-to-go deployment facilities.
Any of the major repository systems can be set up in a custom configuration with client machines automatically sucking packages up from a central company repository. Redhat's up2date and satellite systems are especially geared toward this kind of deployment.
If I'm understanding this correctly, you get application installation automation for free with your centralized repository, perhaps automated with cfengine, puppet, or even ssh-in-a-loop.
This is hard, and I'll admit Windows has an edge here, though personally, I feel like that's a little bit about North Korea having an edge in oppression compared to the US; it's not necessarily something desirable.
That said, if you must do something like this, there are ways. Other comments for this article address this point better than I do. For starters, there's kiosk mode [kde.org] "KDE's Kiosk Mode, allows a system administrator to configure all aspects of the desktop for an end user and optionally prevent the end user from making modifications to the provided setup."
Gnome also supports a lockdown system [gnome.org].
And as a last resort, you can always patch the software and distribute the patched version to all your machines.
Re:"noexec" is overrated (Score:2, Interesting)
No matter what your desktop OS, you'll break (or have to do without) certain things, if you insist upon strong security and ironclad policy enforcement.
There are desktop options you can use that don't require any interpreters, at the sacrifice of a little usability, and possibly productivity. You may have to make do with a simpler desktop environment than Gnome, such as xfce4 that doesn't rely all the Python scripting.
But even if you leave interpreters full on and just use 'noexec', what you get is ironclad by comparison to Windows group policy.
Comment removed (Score:4, Interesting)
Re:How about: less douchebaggery? (Score:2, Interesting)
What? You must be joking...
If he has "luser ALL=(ALL) ALL" in sudoers he can sudo bash and become root.
If he's only to have access to /usr/bin/rvi the correct entry would be:
luser ALL = /usr/bin/rvi ...Now, if he can write to /usr/bin the admin has worst problems than luser getting root. ...And if the admin made the entry look like "luser ALL = /home/luser/rvi" (and luser has write access to /home/user) the admin is dumb.
So, your "exploit" needs the admin to be 110% dumb. Great! I know some 90% dumb, but 110% is pushing it :)
Get real, please.
Re:What are you trying to do? (Score:2, Interesting)
Multiply this by about 500 machines, and then the ability to later on down the road be able to change it without having to completely redo them or find some screwed up roundabout way to push out to every machine via scripts...
You'll quickly turn to the Windows way of doing it.
You've never actually used Linux have you. I can push out 40 6Gb images over a network in 10 minutes locked down with bastille and Linux SE. Ossim to manage the lot. Call it a day.
Re:How about: less douchebaggery? (Score:4, Interesting)
Bingo.
If you don't restrict sudo, you can do anything. I would bet that most people here use sudo for full root access and not restricted commands, and don't understand this.
But back to the apache example, why oh why are people still starting it as root with the config files being owned by root? That's nuts. Use iptables to redirect port 80 to 8080 (and 443 to 8443) and get off the "root crackpipe."
To be honest, the legacy requirement that you must be root to run applications on ports less than 1024 doesn't make sense in the modern security world and Linux (along with OSX, Solaris, etc.) should dump it. Unix derivitives are the ONLY OS's with such restrictions, and the workarounds of starting as root and dropping privs is just a bloody nightmare and SOOOOO unneeded. Along similar lines, native jailing of apps really should be built in to the OS. BSD has it, Solaris has it, Linux needs it. Right now it's bloody difficult to jail a user to a portion of the filesystem. vservers help but are not a true replacement for being able to jail a user (or hundreds of users) to a limited area.
Re:This is linux's strength, actually (Score:3, Interesting)
How long does it take you to install software on just one machine?
Because seriously... NFS mounted app directories. It will change your outlook. Look into it.
I use cfengine to manage my servers. Right now I only have about 50 servers to manage, but with a userbase of about 30,000 very clever users and some really obnoxious corporate policies to enforce. At a previous job I was managing thousands of Linux boxes all by myself, and had half my day left over to help the Windows guys with their pile of work to manage a few hundred desktop machines and a couple of dozen servers.
This isn't rocket science. This is a matter of a professional using the right tools to get the job done effectively and efficiently.