Locking Down Linux Desktops In an Enterprise? 904
supermehra writes "How do you move 300 desktops, locked down with Windows ADS Group Policies (GPO), over to Ubuntu desktop? We have tried Centrify, Likewise, Gnome Gconf, and the like. Of course, we evaluated SuSe Desktop Enterprise and RedHat Desktop. Samba 4.0 promises the server side, however nothing for desktop lockdown. And while gnome gconf does offer promise, no real tools for remotely managing 300 desktops running gnome + gconf exist. All the options listed above are expensive, in fact so expensive that it's cheaper to leave M$ on! So while we've figured out the Office suite, email client, browser, VPN, drawing tools, and pretty much everything else, there seems to be no reasonable, open source alternative to locking down Linux terminals to comply with company policies. We're not looking for kiosk mode — we're looking for IT policy enforcement across the enterprise. Any ideas ladies & gentlemen?"
Puppet (Score:5, Informative)
Use puppet to enforce configuration: http://reductivelabs.com/products/puppet/ [reductivelabs.com]
Re:Puppet (Score:5, Informative)
I was going to say CFEngine, but that's only because it's what I'm currently using. I'd love to move to puppet but at the time we deployed CFEngine, puppet wasn't ready for all the things we needed it to do (windows and solaris in addition to linux)...this has likely changed now, but we've got a lot of cf scripts that would need conversion.
Whichever tool is chosen (there are others in this space too), I believe this is the correct answer. I know that CFEngine scares a lot of people off (and maybe puppet does too?), but it is an excellent way to manage a large set of hosts.
-Ben
Re: (Score:3, Informative)
Yes, Puppet and CFEngine look like the modern solution.
At our small office (up to 10 desktops), we use Fedora (from Core 6 to 9), plus NIS+NFS+autofs for user account+directory file management, installed from a centralized DHCP+PXE+NFS+Kickstart installation.
Then we have our own home-brewed root crontab scripts (deployed by kickstart post-install) that:
- replaces local files from centralized versions (some are just text files, others are sym-links, others are firefox plugins - like Adobe's flash player).
- i
Mittens!!! (Score:5, Funny)
Re:Mittens!!! I was going to say: Give everyone (Score:5, Funny)
Paws... Then they could have Caps Paws...
But, if Puppet offers tiered services, then you can evaluate the... Puppet Tiers (LOL)... Then controlling the employees simply becomes a matter of ... pulling strings...
Is Samba 4 ready? (Score:5, Informative)
LSTP (Score:5, Insightful)
LSD (Score:5, Funny)
Why not use LSTP? That way you only have to worry about whatever image(s) you keep on the server.
Better yet, use LSD! Then all you have to worry about is why those images are talking to you.
Come on... (Score:3, Insightful)
so expensive that it's cheaper to leave M$ on!
If you want to be taken seriously, please lern 2 spel currektly. I'm not a Microsoft fan, but it sure is annoying seeing it spelt like that.
dumb terminals? (Score:5, Insightful)
if you are talking stand alone desktops then it's not so great. linux doesn't really have anything as good as group polices and active directory, it's part of the reason corperate networks are mostly windows.
What are you trying to do? (Score:5, Insightful)
I guess the first question is: what are you trying to accomplish? Are you trying to prevent users from installing additional software locally? Are you trying to insure that particular applications get particular preferences set and users are prevented from changing those settings? What? Just saying "lock down the desktops" doesn't say what you're trying to actually do.
Remember that Unix is, in large part, designed to work correctly without needing to be locked down. Much is controlled simply by the system-wide configuration files. The rest tends to be controlled on the server side, so that users simply can't do unacceptable things regardless of how they configure their local user account.
Re:What are you trying to do? (Score:5, Insightful)
Never underestimate a user's ability to fark up something that is, in theory, unfarkupable.
Re:What are you trying to do? (Score:5, Insightful)
I like this version better: No system is foolproof, because fools are fiendishly clever.
Re:What are you trying to do? (Score:4, Informative)
The problem with making things idiot proof is you generate a better class of idiot.
As to the problem at hand, there are tons of things you can do to keep users out of trouble. Biggest one is, keep them from accessing sudo. Easiest way to do that is, create an 'admin' account on the machine before generating user accounts. Only the first user account on a Ubuntu machine has sudo access automagically. Additional users need to be added manually to the sudo group. Remove any and all software that you don't need. What those software pieces are would depend on your application. Then add the necessary maintanance scripting run as cron jobs, things like apt. Edit the /etc/apt/sources.list to restrict repositories. What I'd do then is, recut a master CD using Ubuntu Customisation Kit [sourceforge.net] so you have a 'standard' install, and set up an inhouse repository for updates, fed from the inhouse server. Since the workstations only look at the inhouse repository, they should only be able to install from the local server. And if they're locked away from apt, that shouldn't be a problem.
Re: (Score:3, Funny)
Re:What are you trying to do? (Score:5, Insightful)
You are looking at it from a system security perspective, not "IT Policies" perspective. He needs to be able to disallow solitare, force all connections through a proxy server for web filtering, pass down 802.1x keys, force people to use a certain network printer, etc...
Re:What are you trying to do? (Score:5, Interesting)
All these can be enforced using control of the services. The problem statement reflects the Microsoft/Windows way of doing things. Turn it around and ask how the network can enforce the policies.
Proxy: the firewall can enforce this. Users don't use the correct proxy? No web access. Printers: Configure the printer to allow only certain users/groups, etc. etc..
Re:What are you trying to do? (Score:5, Insightful)
Id say if someone has to bring in their own printer, your company has bigger IT problems...
Re: (Score:3, Interesting)
Device entries can have permissions set on them and even the newer systems for autoconfiguring peripherals can have specific rules written for them or only add devices for specific users. If you want absolutely nothing to happen when a strange device is plugged in, that can be arranged.
Re:What are you trying to do? (Score:5, Insightful)
> Then how do we prevent people from bringing in USB printers from home and connecting them locally?
Well it seems to me you are dealing with one of two scenarios.
1. Users are so desperate to get work done they are working around IT stupidity. History repeats itself. Microcomputers were often brought into the workplace to get around the stupid restrictions the high priests of IT put on access to the minicomputer/mainframe. And a lot of minis initially came in to get local control of computing away from the lords of the mainframe at corporate HQ.
Solution: Replace the IT people and let employees so motivated they were bringing their own printer do their part to get the economy going again.
2. Users doing nefarious things like printing out company secrets.
Do you think they won't work around any restrictions short of putting epoxy in the USB ports? And if you do that they will clone the MAC address onto a laptop and connect it in place of the locked desktop. Money motivates.
Solution: In such a secure environment they should be using terminal services to keep them away from physical access to the hardware that can compromise security. When you catch someone probing the defenses get rid of them before they figure out a way in. If you can't trust them they shouldn't be allowed anywhere near secrets. If they have to the bastards will take screenshots with their damned cellphone.
Re:What are you trying to do? (Score:5, Informative)
(1) Don't install any solitaire program. Mount users' home directories noexec, don't give users root access. They won't be playing solitaire. This also prevents them from downloading solitaire off the web... blocking winsol.exe in Windows group policy doesn't stop any of this, and doesn't stop users from copying winsol.exe to some innocuous filename like C:\excel.exe
(2) iptables rules can be set to deny web access except through the proxy.
(3) Passing keys is just a single example of central config management, there are tools for this as well, like cfengine, bcfg2.
Re:What are you trying to do? (Score:4, Insightful)
You'll quickly turn to the Windows way of doing it.
Re:What are you trying to do? (Score:5, Informative)
Didn't I mention bcfg2? cfengine and bcfg2 are tools that is used to do just that, force tens of thousands of machines to comply with approved configurations, and remediate machines that don't, by making them match the approved configurations.
And yes, you can remove software, set iptables rules, distribute keys, etc, using pre-made open source software available for Linux.
Re: (Score:3, Informative)
Custom kickstart with all the required configurations, and some basic configuration management software, makes it -extremely- easy to manage. The requirement is having an admin that knows how to set it up correctly in the first place.
Lock out root accounts, mount user home directories from a separate partition/disk/network share and you can even reinstall the base OS without touching their files. Any decent configuration management software (there are a lot of choices) would also allow IT to add rpms or mak
Re: (Score:3, Insightful)
Most "I.T. Policies" are stupid and written by control freaks with no managerial sense.
The ridiculousness of web filtering aside, this is easily accomplished by pre-made config files in /etc/skel.
Again, /etc/skel or something like Puppet [reductivelabs.com] works fine here.
Re: (Score:3, Insightful)
In a large organisation the poor admin implementing the policy is not the person who created the policy.
Web filtering is put in because Suzy once saw Joe in accounting see this site [tubgirl.com] after I linked to it here, because I'm a bit of a cunt like that. She then caused massive panic, which spread upwards to the CEO, who decreed that The Internets Shall Be Filtered to prevent the company being sued.
Most GP isn't implemented to be totally bulletproof, its there to create a standardised config, and mostly prevent pe
Oops! There's that REALITY again... (Score:4, Informative)
What you are forgetting is that most companies, especially large companies ARE boring places staffed by a high percentage of mediocre people. Large organizations have a large amount of administrative overhead, and the vetting process is long, convoluted, and inefficient. It's just the nature of the beast.
1) IT staffed by control freaks? Well duh! It's the only way they can appear to be doing something and not getting their asses handed back to them if anything goes wrong...
2) Trust? How much do YOU trust people you know just barely well enough to remember their name? And anytime you get more than 5 people together, they start grouping up and taking sides. Disputes soon follow. Care to guess what it's like when there are 500?
3) Hiring standards? Have you seen who applies to Monster.com ads? As an employer, I can say the domain name is appropriate...
4) unrealistc expectations... It's often hard enough to simply establish expectations at all. 5) Morale? You want to talk about morale!?!? Large companies spend months rolling out big updates like using actual coffe in the coffe makers at their 2,000 store fronts, or on 6 month programs toget locations to clean their bathrooms. Wait until you spend a man-week working yer ass off because somebody didn't know what 'historic' meant, only to find you didn't need to do anything at all. Then see what your morale is like.
6) Unmotivated employees? Your average wage slave is motivated by a desire to do as little as possible and not get yelled at.
Go work at/for/with some large organizations sometime. You'll see why Dilbert is so popular - not because it's quirky and off-beat but because IT'S TRUE!
Re:What are you trying to do? (Score:4, Informative)
Or, Trolly McSourface, if you read the myriad of other responses, it works just fine. Simply don't install games in the default OS install (trivial), and mount the filesystems as noexec (can you even do that in Windows, your oh so powerful OS? Not that I'm aware of...). Done.
And yeah, that doesn't make it any less of a dumb idea.
In windows, the user just downloads some stupid solitaire off the web, or brings one from home that or something that doesn't require installation.
MOD PARENT UP (Score:5, Interesting)
Mod parent UP. The OP is thinking about it wrong: ie how to manage unix in the style of windows. Don't give them root and they can't install software. Make sure the home directories an /tmp is moutes -noexec and there is NO WAY that they can run programs which aren't already installed.
Now they can have free run of the system and can't do anything harmful. Still not satisfied? Remove all executables that they shouldn't run, or make them a-rx g-rx, and don't have users in the group able to run them.
You can create an RPM to do this for you, then set up the whole thing automagically using Redhat's or SUSE's tools (one is called kickstart). I suspect it is straightforward on debian based systems, too.
If you have the autoupdater running (good for security), then update the setup RPM, put it in your local repository, and sit back as all the desktops get updated with new settings.
Alternatively, you can bodge it with shell scripts and a cron job :-)
Re:MOD PARENT UP (Score:5, Insightful)
While I _mostly_ agree with this, a nice policy management (configuration management mostly) tool is also essential when dealing with lots of boxes. You want a new setting for all Gnome desktops, simply add it to the policy tool and let it distributed any required config files or run commands to change the setting, etc. This type of thing used to be done with things like: for h in $all_my_hosts; do ssh $h /tweak/some/setting; done
CFEngine and Puppet and friends are a nicer way of doing this. They're "self documenting" in that your write the code and then you can later very easily see when you added some configuration bits, etc...version control your configuration management scripts and you get even better tracking of who did what and when. (A side question: How does one do the version control type stuff in AD?)
While kickstart is great (I use it), it only goes so far. Having a policy manager on top of that (installed and configured in the kickstart) is a beautiful thing!
-Ben
Re:MOD PARENT UP (Score:4, Interesting)
I was going to post almost exactly this. .deb or .rpm archive, and making your desktops automatically check for updates at, say, 2am, will alleviate the rest of your problems. It's also quite easy to provide a virtual "our_enterprise" package that you can have depend on any local fixes or changes for your office.
If every directory your users can write to is mounted as noexec, and you don't do something boneheaded like giving them sudo access, they will be completely unable to install software. There'll be extra traps, like disabling flash to prevent most of the browser-based time wasters, but those can be managed reactively, and aren't nearly as likely to require a system re-image.
Transparent automatic proxies are negligibly simple to implement, for instance a pfSense box and a $300 PC. As a bonus, you can easily add web filtering and block things like Slashdot at work. As for printers, Avahi and cups setup can easily make finding and using printers secure and idiot-proof.
A local
The answers to subby's question are almost laughably simple.
Re: (Score:3, Insightful)
Actually, browsing Slashdot, The Old New Thing [msdn.com], lwn.net [lwn.net] and so on has made me more productive overall. Preventing users from accessing "time wasters" is a losing strategy: not only is the blocking technically futile, but by treating employees like children, you kill morale. Instead of micromanaging their days, treat employees like responsible adults and evaluate them based on their work and its results.
Re: (Score:3, Informative)
This is just wrong. Even in the Windows world. You don't need to be root to "install" a program (and what is with the "install" mentality anyhow?) Someone can happily place a binary in their home directory, or /tmp, or wherever they have write permissions and run it (note the next paragraph).
And relying on noexec? /usr/bin/perl is usually executable, as is /usr/bin/php, /placeyourfavoriteinterprethere and can run any script you tell it to regardless of the noexec bit on the partition you mounted. For th
Re:MOD PARENT UP (Score:4, Insightful)
Err, you can still run interpreted programs on a filesystem mounted noexec:
~$ python myprogram.py
A sufficiently clever user could use an interpreter to write his own dynamic linker and thereby run binaries too.
But I agree: locking down the desktop is the wrong approach. Better is to separate sensitive information from things that aren't sensitive, and have a standard user environment to restore to if the user does manage to mess up his configuration.
Re: (Score:3, Insightful)
Don't treat your employees like criminals, if they break enough things all the time, fire them for incompetence, but there is no need to totally lock down everything.
Re:MOD PARENT UP (Score:5, Insightful)
Get it out of your heads. Many of the things group policy can do has nothing to do with "security" or "preventing users" from doing anything. It has a lot to do with quickly standardizing departments, offices, rooms, or whatever your business structure is.
When you move a computer to a different department you simply drag the computer in AD to the different OU and BAM! That computer now gets everything new with its policies. There's no bringing the computer in to the IT department and reloading its configuration with "Configuration A for Department B".
Want to make a change to how a whole department does things? There's no pushing a script out later on to the whole department. You simply change it in group policy and the entire thing gets taken care of automatically.
You can spend more time focusing on actually getting shit done than fussing around with HOW to solve the problem with roundabout tool sets.
Re:MOD PARENT UP (Score:5, Informative)
This kind of stuff is why NFS-mounted home directories are just wonderful. If my machine kicks the bucket, I can grab a new one, install an OS on it, and get back to where I was before in half an hour. In a larger organization, an imaged system would work even better.
Now, as for mass configuration changes, cfengine [cfengine.org] is your friend.
Re: (Score:3, Interesting)
Use puppet. Not only can you configure policies and configuration, but you can _sanely_ manage software as well.
A lot of this can be done with netbooting (Score:3, Insightful)
Many of the things group policy can do has nothing to do with "security" or "preventing users" from doing anything. It has a lot to do with quickly standardizing departments, offices, rooms, or whatever your business structure is.
When you move a computer to a different department you simply drag the computer in AD to the different OU and BAM! That computer now gets everything new with its policies. There's no bringing the computer in to the IT department and reloading its configuration with "Configuration A
Re:A lot of this can be done with netbooting (Score:4, Insightful)
Move it to a new department? Change the entry for the machine on the DHCP server. No need to pull it in for retweaking.
Or even plugged in when you make the change.
You can use the whole disk for swap and /tmp. No individual installs. No local copies.
And the user's entire persistent state is on your fileservers, where you control the backup, maintain history (and let the user recover his OWN lost files), etc.
Meanwhile, with nothing persistent on the user's machine there's no info lost if it fries or is stolen, or if you need to upgrade his hardware. Just configure a fresh machine for netboot and replace the MAC address of his workstation with the new machine. Instant gratification.
You also get to update the software on ALL the machines by updating ONE image on the servers.
Re:What are you trying to do? (Score:5, Interesting)
I admit I'm puzzled at the issue of "lockdown" myself.
For years whenever we needed to lock down a *nix account, the sysadmins would install the software as root and set up the user accounts in capture mode (i.e. .login starts the X session, and the X session doesn't have the ability to add/remove programs.)
I can't imagine needing to lock down a session any tighter than that, and I've never seen a Windows desktop that was locked down any tighter, either.
Re: (Score:3, Interesting)
This was the idea that came in my mind as to a method of locking down desktops. I mean really, it's not that hard considering they won't be able to run a .deb or .rpm or whatever package they attempt once it's locked like that anyway.
It honestly surprises me this is a slashdot article asking for an answer that is as simple as you wrote.
Indeed it is a problem (Score:5, Insightful)
In linux world, there is yet to be a quick, 3 question and 1 button way to add the computer to a domain and then receive straight away:
- group policies - security and software install
- single password store (with cached passwords for notebooks that go away from the network)
- Patch update policy
The only thing linux does right is work on technologies such as DHCP that were written for OTHER unix O/S'.
Ubuntu is not interested in those things, they're more interested in making stories about koalas and hiding popup boxes.
Gnome is dead, Mono and moonlight took all their brains away.
kde is making a next-gen desktop but have yet to understand why so many IT shops have kept Windows at the office.
This is all depressing. Windoze will never be replaced at the current rate.
Re:Indeed it is a problem (Score:5, Insightful)
This is very much like when (several years back) I was told Linux wasnt ready because there was no antivirus or defrag available.
If all you know is Windows then you imagine these things are critical to the operation of a corporate network. They arent. They're patches plastered all over an inherently poor design to allow it to (sort of) function in that environment.
With a real OS the actual underlying goals these things serve are served without the need for the specific windows-centric functions to patch windows-specific problems.
What lockdown do you need? (Score:5, Informative)
A desktop where the user does not have su/sudo access is already pretty locked down -- the user can only write to his home directory and other directories that he/she has access to through normal permissions.
If you really want to lock it down, the user's home directory can be mounted in such a way that files cannot be executed from there.
What elso is required?
Re:What lockdown do you need? (Score:5, Informative)
What elso is required?
The ability to quickly and easily set it all up on all machines on the network at once, and to change permissions later with equal ease, without having to ssh into each and every machine on the network.
Re: (Score:3, Interesting)
A quickstart file to install the machine correctly in the first place, use the autoupdater to update based on your own repository, with custom RPMs to push out further changes. Or, have the machine run a crontab that runs a script from a network-accessible location periodically -- and that script can set up
Re: (Score:3, Informative)
The ability to quickly and easily set it all up on all machines on the network at once, and to change permissions later with equal ease, without having to ssh into each and every machine on the network.
That's a job for cfengine/bcfg2 or puppet, and a couple scripts to maintain exactly what you want. There are tools that can do this sort of thing very well.
And you can also easily set it up so you can detect if a system has fallen out of compliance for some reason, and possibly send you an e-mail.
Wind
Re: (Score:3, Interesting)
Have you evaluated the canonical commercial tools?
Huh? Its unix (Score:5, Informative)
If you just manage the users properly and NFS mount applications it almost takes care of its self and don't need an extra layer of complexity.
use PXE+XDMCP and the workstations be come irrelevant
Re:Huh? Its unix (Score:4, Insightful)
Isn't this something Unix solved decades ago? (Score:3, Insightful)
You set up the machines to all boot over the network, from a common image, and to load all system files from a NFS share.
The only thing on the workstation is the user's $HOME directory, and some local stuff like /tmp, /var, etc.
Your users don't get root on their workstations. They shouldn't need it. This isn't like Windows, where a huge number of apps don't run correctly if you don't have admin rights. Linux is designed under the assumption that users don't have admin rights.
Maybe I'm being naive, but what more do you need?
Re: (Score:3, Insightful)
He wants to enforce things such as proxy settings, desktop settings, auditing, etc.
3 years ago (or so) ... (Score:5, Insightful)
IToday, we have a colorful disaster that isn't even as usable as its predecessor. Developers should have focused on the need for an enterprise desktop that could actually make a dent in MS corporate sales. Instead we got useless eye candy.
The fault, of course, lies with the big distributions that pride themselves on providing enterprise ready Linux. Enterprise sans le Desktop. Useless wanking. The requirements for an enterprise ready desktop are out there for anyone to see and it's not just "applications" as everyone usually points out. It's the ability for administrators to create and maintain a usable desktop according to official corporate policies. No more and no less.
Re:3 years ago (or so) ... (Score:5, Insightful)
The thing about that is it would require some very skilled programmers to do some very boring things. Generally this requires large infusions of cash and/or beers.
policies (Score:4, Insightful)
locking down Linux terminals to comply with company policies
Sooo, what exactly ARE these company policies?
Re: (Score:3, Funny)
Keep employees from installing software unless your an upper level executive who needs a business level package. You know, like Solitaire, their favorite screen saver, a program that will display files (like naked_britney_spears.zip.exe) they get in email.
You know, the policy that says I am too special to actually follow the rules...
Pessulus (Score:3, Informative)
What's wrong with that?
Back in the old days ... (Score:3, Funny)
...we just used a script that called useradd pointing to the appropriate skeleton directory and then called chown/chmod to keep people from modifying the rc files in their home directories.
Really smart users can probably find a way around this. But then at a company I used to work for, we could never lock down Windows NT to keep the shop floor mechanics from setting the wallpaper to a Pamela Anderson, Tommy Lee photo. So I guess its all relative. You may need users that are dumber than a high school dropout welder.
Do what's cheaper (Score:5, Insightful)
If it's cheaper to stay with a Microsoft-based infrastructure, then stay with that. Creating massive infrastructure-wide group policies that go from desktop to web browser is sort of a windows thing. If you're going to maintain security policies in a linux-based system, you better be prepared to start thinking in Unix- that means remembering that you're using a network-based system, not a locally-oriented system on a network.
If you're setting an IT infrastructure, the costs you're cutting on licensing will probably bite you in either support, security, training, or usability/productivity. There's no such thing as free software, I'm sorry.
2009 is the Year of Linux on the Desktop (Score:3, Funny)
we leave our security to (Score:5, Funny)
Locking Down Linux Desktops In an Enterprise?
We leave our security in the hands of Mr. Worf.
Re:How about: less douchebaggery? (Score:5, Insightful)
Instead of spending $$$ on bondage and discipline, how about treating your users like adult human beings?
Because a number of them will wind up installing aps that put the company at risk?
Re: (Score:3, Informative)
You can't install apps without root.
You can't get root without proving your competence and signing an agreement that says you will only install apps that have been approved.
It changes from being a "lockdown the desktop" problem, to an "unlock the desktop for people who absolutely need it, and closely monitor their activities" problem.
Re:How about: less douchebaggery? (Score:5, Interesting)
You can't get root without proving your competence and signing an agreement that says you will only install apps that have been approved.
Sometime ask for permission to edit a config file for, say, a webserver to save the admin time. In fact, ask for vi permission because that's your favourite editor:
sudo vi /etc/httpd/httpd.conf
Password:
:sh
sh#
Just a random "trick" you can use to get around things like that. To OP:
I manage my 200-odd machines via ssh-keys and push scripts each night. It's not as pretty as a GUI, but I don't need pretty, I need functional. I keep a machine loaded with an accurate configuration of what should be out there, and every time I make a change on the test machine that I am happy with, I migrate it to the live machine, which pushes out the scripts. But I like the parents post theory anyway, despite what this post may have looked like.
Re:How about: less douchebaggery? (Score:5, Informative)
Vim supports a mode referred to as 'restricted' mode.
i.e. cp /usr/bin/vi /usr/bin/rvi
Give the user permission to run 'rvi' instead of permission to run 'vi'
Also, you needn't give root to do that; modern distros have these things called 'group permissions', or even ACLs.
You can create that user a special non-root user that they 'sudo' to in order to edit the config file, and an ACL permits just that particular user to edit the particular allowed config files.
Re: (Score:3, Funny)
Re:How about: less douchebaggery? (Score:5, Informative)
Which is not the same as 'sudo rvi'. You can set sudo to only allow certain commands, so if you allowed 'sudo rvi', you couldn't run 'sudo ~/vi'.
sudo filters by the command executed (I've seen things restricted to full command line - i.e. sudo killall -HUP ircd but not sudo killall ircd).
Re:How about: less douchebaggery? (Score:4, Interesting)
Bingo.
If you don't restrict sudo, you can do anything. I would bet that most people here use sudo for full root access and not restricted commands, and don't understand this.
But back to the apache example, why oh why are people still starting it as root with the config files being owned by root? That's nuts. Use iptables to redirect port 80 to 8080 (and 443 to 8443) and get off the "root crackpipe."
To be honest, the legacy requirement that you must be root to run applications on ports less than 1024 doesn't make sense in the modern security world and Linux (along with OSX, Solaris, etc.) should dump it. Unix derivitives are the ONLY OS's with such restrictions, and the workarounds of starting as root and dropping privs is just a bloody nightmare and SOOOOO unneeded. Along similar lines, native jailing of apps really should be built in to the OS. BSD has it, Solaris has it, Linux needs it. Right now it's bloody difficult to jail a user to a portion of the filesystem. vservers help but are not a true replacement for being able to jail a user (or hundreds of users) to a limited area.
Re:How about: less douchebaggery? (Score:4, Funny)
You've already installed Linux. I doubt they can install anything on there that would be a problem, not without gunning for your job that is.
Re:How about: less douchebaggery? (Score:5, Insightful)
You think using technology to help enforce an IT policy and respecting your employees are mutually exclusive aims? I strongly disagree.
A small contingent of 'bad apples' can do serious harm if you do not effectively enforce IT policies. It's not possible to guarantee there is no one like this in your company, so you should protect the company and other staff from from them.
Respecting staff won't stop douchebags being douchebags and screwing up your systems.
Re:How about: less douchebaggery? (Score:5, Interesting)
"Like screen savers that try and install crap along with it, then there'll be all the support calls why isn't it working."
Using my remote control truth extractor, I can detect thoughts that are in your brain but not passed to your fingers on the keyboard. Combining your post with the truth extractor, I get the following:
"Treating adults like adults is good in theory, but when you have 300+ people trying to..."
Do their jobs
"...you want to take away as much..."
productivity
"...as possible." So we can feel like we are in charge of something. Even the little people need to feel big every so often. In order to keep our jobs, we need to make sure people need us. Thanks to lockdowns, they will.
Is that awesome technology or what?
Would you rather make people stop working and call the helpdesk when they need some kind of app that is (a) harmless and (b) freely available? And it's OK if they wait: 15 minutes? an hour? all day? So you can prevent a call from a guy who screws up the SCREEN SAVER???
Instead of making Mr. Screensaver wait in the queue because of his counterproductive antics, YOU MAKE EVERONE ELSE WAIT INSTEAD???
Such a strategy would only make sense if >50% of all calls were for unnecessary/unauthorized things. And IF that were true, then a lockdown would work so well that support staff could be cut, right?
Any wonder why IT departments are referred to as the "preventers of information services"???
What happens if they boot Knoppix from CD? Works pretty well in Windows shops as well. Lockdown the BIOS from CD boot? There are numerous published backdoor passwords; almost every BIOS has one.
BTW, this is a much bigger problem in Windows shops, where people tend to go crazy with pirated stuff, trial versions, spyware, and network bandwidth wasters -- all of which contribute to real risks and system instability. Taking away root access solves most of this in Linux, whereas in Windows it's the full employment act for the helpdesk unless you surrender to the draconian tradeoffs described above.
Re:How about: less douchebaggery? (Score:5, Insightful)
Probably because you can't guarantee that the users will ACT like adult human beings.
Any corporate policy that relies on "Let's just hope users don't do bad things" is doomed to fail.
Re: (Score:3, Funny)
No, au contraire. The following policy _will_ guarantee that users will act like adult human beings:
We will take a peep at your files randomly and fire you without severance the first time we find something we don't like. Period.
Comment removed (Score:4, Interesting)
Re:How about: less douchebaggery? (Score:5, Funny)
Doesn't work:
bash-3.2$ less douchebaggery
douchebaggery: No such file or directory
bash-3.2$
Re:How about: less douchebaggery? (Score:5, Insightful)
Have you ever met a sales person, or watched them try to use a computer? Seriously, watch them try to send a 500MB powerpoint presentation as an e-mail attachment, or ask for tech support on their limewire install, and marvel at the risk to your company.
Re:How about: less douchebaggery? (Score:4, Insightful)
Instead of spending $$$ on bondage and discipline, how about treating your users like adult human beings?
THIS is why those tools don't exist. Because every time you ask, some self-righteous idealist responds like this. Unfortunately, those self-righteous idealists are often also the really good programmers who have the ability to create such tools.
Re:Security-Enhanced Linux (Score:5, Informative)
Re: (Score:3, Interesting)
You know, as much as I agree with you, I wish it were not so.
More and more things are getting tied to a computer. Back in the early 1990s, a computer was generally used for number crunching and document managing. People (generally) did not use a computer to listen to music, watch a movie, meet people, or to stay in touch with one's friends.
Now people are using computers for all of these functions. It's important that things we need for daily living in the 21st century are not controlled by a single
Re:You don't (Score:4, Informative)
Re:You don't (Score:5, Funny)
That's what I couldn't figure out (Score:3, Insightful)
Want to lock stuff down? Don't give users root.
Knowing what policies they're talking about might be helpful because I had the same question. What policies would require root level access? White list the proxy. Backups, share drives, printing...we have all those services on our Linux desktops. We can remote in and install any software they need...??? What policies can't be handled by a user account?
Maybe I've been away from Windows networking too long, but I can't think of why you'd need to do this
Re: (Score:3, Insightful)
By blocking them out of root access, they can't download a package like a .deb or an .rpm & install it. If they somehow manage to figure out how to download and compile a tarball, all they can install it to is their own home directory. I'd say, best way to do it is make sure they don't have compiler access. So, take them out of the sudo users group.
Re:You don't (Score:4, Interesting)
Unless users are only given a restricted shell, what prevents them from writing applications in shell script and running them?
It's either a kiosk or a fully functional Universal Turing Machine...
Well, one way to do this is to mount the users home / groups with the noexec flag. Only the system partitions should be mounted with execute permissions, and the users shouldn't have any write privileges on them.
Re:You don't (Score:5, Interesting)
I think the point of the G...GP post was that you can't easily push this out remotely, and on Linux you have to write it, support it and debug it yourself, including all the niggly corner cases.
Frankly Windows has some cool Enterprise stuff that makes this easier.
It's worth noting that these policies aren't Microsoft deciding willy-nilly how you will use your computer. It's the Fortune 500+ companies, and their equivalents in Europe, Asia-Pac etc, who have requested this. They have very big wallets. They spend way more on MS than we do. And apparently some dorkwad once determined that allowing users to set their own desktop background wastes time and thus money, so they want to lock things down, protect themselves from lawsuits etc, and ensure they are paying people to work, not skive off typing long comments on /. ...
Ahem. As I was saying.
In these sorts of cases (desktop wallpaper, sound schemes), to me, the benefit is not time and money, it's the ability to avoid a lawsuit because Big Stu the ladies' man in the centre of the office decided to have some porno chick as his wallpaper and porno sounds for new emails et al. And the 30 women around him get offended and sue the company for letting him be a dickhead even though there's a clear policy in place.
Re:You don't (Score:5, Interesting)
That's a good point, but the kind of huge organization you mention will have in-house IT people who can that anyway, and I still think the advantage of a FOSS platform outweighs the relatively lack of ready-to-go deployment facilities.
Any of the major repository systems can be set up in a custom configuration with client machines automatically sucking packages up from a central company repository. Redhat's up2date and satellite systems are especially geared toward this kind of deployment.
If I'm understanding this correctly, you get application installation automation for free with your centralized repository, perhaps automated with cfengine, puppet, or even ssh-in-a-loop.
This is hard, and I'll admit Windows has an edge here, though personally, I feel like that's a little bit about North Korea having an edge in oppression compared to the US; it's not necessarily something desirable.
That said, if you must do something like this, there are ways. Other comments for this article address this point better than I do. For starters, there's kiosk mode [kde.org] "KDE's Kiosk Mode, allows a system administrator to configure all aspects of the desktop for an end user and optionally prevent the end user from making modifications to the provided setup."
Gnome also supports a lockdown system [gnome.org].
And as a last resort, you can always patch the software and distribute the patched version to all your machines.
Re:You don't (Score:4, Informative)
Guess what? noexec doesn't do jack shit on the majority of Linux systems, and does not prevent anybody from running a. You know why? /lib/ld-linux.so.2. (On x86_64, there's also /lib64/ld-linux-x86-64.so.2.)
Oh really? Seeing how mmap(2) requires the PROT_EXEC flag to make segments executable in the MMU, and checks those flags against the mode of the i-node, I found that hard to believe, and have it a try. These are the results:
Re: (Score:3, Informative)
How's about I set up iptables to disallow any incoming connections then?
That would slow your relay down. And how are you going to DoS whenyou don't have access to netcat, any compilers or interpreters? Hell, I could stop you even running an xterm...
You can do any/all of these things from windows too. I have yet to see a machine that could do anything useful at all that I couldn't also download and then run PuTTY on.
Re:M$ (Score:4, Insightful)
www.redhat.com
What's Ubuntu's LTS support? 5 years? And how long has XP been supported? Right...
Re:More information on what you want to lock down? (Score:5, Informative)
Unfortunately, few people in the Unix world seem to grasp what Group Policy is used for in Windows.
It's not simply preventing users from installing software.
Group policy is a set of policies that gevern everything from security policies, to application policies (for instance, say you want all users in a specific AD OU to use a specific proxy server, or maybe you want to limit all computers in a given lab from being able to use an MSN Messenger.
GP can be assigned to specific computers, groups of computers, users, groups of users, and a whole host of situations. The nice thing about it is that it's AD wide, and controls the user or the computer regardless of where, or what may be installed on the machine or how it's configured locally.
Re:More information on what you want to lock down? (Score:5, Insightful)
Unfortunately, few people in the Windows world seem to grasp that LDAP has been around for many years in the *nix world, and has all the functionality you would find in Group Policies when linked into PAM on the client side.
For a couple years, I maintained a company-wide network that supported unified "home" directories and unified login/password capabilities between Windows workstations, Linux workstations, and Solaris servers, all tied back to Fedora Directory Server. It was hell to set up, and sweet to watch in action.
Active Directory and Group Policies aren't bad for simple installations, but really turn into a mess quickly depending on your setup. LDAP and *nix systems that support PAM are a snap to set up, work fairly well and took significantly LESS time to get working properly than the Windows side did.
There's a lot of research that goes into setting up either side of the equation. Linux/Unix has been more ready for the "enterprise" desktop than Windows has, though, and that's a cold hard fact.
Re:More information on what you want to lock down? (Score:4, Insightful)
Unfortunately few people in the *nix world seem to grasp that LDAP is just a protocol (that's the P bit of the acronym). It's just a standard way of accessing directories - which is what Active Directory is (as is OpenLDAP etc etc). LDAP means nothing as a reference to a directory - OpenLDAP might in your case. So what you meant to say was "directories (that are accessible via LDAP) have been around for years". Whether they do everything the particular implemention of Active Directory does is up for question - some may, some may not. It depends on implementation...
Re:More information on what you want to lock down? (Score:4, Insightful)
In Linux it's done with policies in LDAP that are used to set variables for login scripts. Using standard Linux tools (written 20+ years ago for UNIX systems), the login process can report back what machine, IP address, etc a user is accessing. That coupled with the group structures in LDAP are used to set environment variables that dictate everything a user can access.
If it weren't for the boneheaded point-n-click gui that windows crams down every admins throat, even windows admins would see that their precious AD is just ldap with environment variables modified by scripts.
You talk about converting 300 seats. I converted 2000 to LTSP desktops. All driven by only 33 servers. See here for details: http://www.localnetsolutions.com/press.html [localnetsolutions.com]
If you are still stuck, my contact info is on the site. I consult.
Re:This is linux's strength, actually (Score:5, Insightful)
Or, am I missing something?
Yeah managing this for 300+ people in an environment that changes daily without spending your entire IT budget on admins and the sneakernet support staff.
despite our desire to act like open source is the cure for all ills this is the type of problem we need to solve. You MUST lock down some enterprise environments (or have a CEO who is willing to go to jail) and you MUST be able to manage this without breaking the company piggy bank. He's asking for solutions to these two requirements not how to keep ONE person on ONE desktop from doing ONE of the many forbidden things.
And as for the guy/gal who suggested we treat everyone nice and hope they act right. That's fine for your 10 person IT shop...not so much for a multi-billion dollar public company that needs public trust and investment and is governed by a whole mess of federal regulations in numerous national jurisdictions around the world.
Re:This is linux's strength, actually (Score:5, Informative)
Sneaker net?
This is linux. You do it all remotely, and you can build clone the machines pre-set up
exactly the way you want them.
This is not hard. But first you have to purge the microsoft mentality from your thinking.
Forget Sneakernet. Think more Fat-Ass net. Like me sitting here on my fat ass managing
a dozen machines for naive users located 1400 miles away.
You just never give users root access, and you set your permissions properly.
You can use SeLinux, AppArmor, or any number of free management tools that
all work remotely. You don't have to rely on everyone to act nice because
you can lock it down just as tight as you want.
If its a business, why not start with a business solution like Novell SLED.
Its made for the enterprise. And it locks down nicely.
None of this stuff is free in the windows world, but its all available
for free in the Linux world, OR you can pay for it and still save money
over Windows.
But there are free remote management utilities included with every Linux distro.
Its called ssh.
Re:This is linux's strength, actually (Score:4, Informative)
Adn how long would it take me to SSH into 40,000 desktops to update Adobe Reader 8 to Adobe Reader 9, because there is some new feature that someone decided we just have to implement?
How long to copy the browser link to 40,000 desktops to comply with a mandatory ethics reporting plan we had to put in place? How long to patch 40,000 kernels for a security hole that must be resolved within 72 hours due to Corporate Information Security policy?
you guys that complain about heavy handed IT policies don't realize, that we don't even drive a lot of this stuff. If it was an IT idea, no one would ever give us the money we need to buy these tools. It's all driven from the top down.
Perhaps you've never heard of cssh [sourceforge.net]?
I use it to patch and update ~ 15 linux machines at the same time--in about 3 minutes. Patching a comparative number of Windows servers takes 30 minutes and a reboot.
In all seriousness though, cssh might not work so well for 40,000 machines. You'd probably have to have a 70 inch monitor...
Re:This is linux's strength, actually (Score:4, Informative)
cssh is great for a handful of computers, but for the 40,000 boxen, try cfengine [cfengine.org]
Re:This is linux's strength, actually (Score:4, Funny)
Disable CD/USB boot in BIOS or make the hard drive boot first(and password protect it... with clever users, lock the box so no one can clear the CMOS).
The bottom line though is that if someone has physical access to 'your' box, it's no longer yours. This applies to security as well as users. The only thing you can do is make the process so painful and bothersome that they decide it's not worth it.
Speak softly and carry a big stick. Keeping a CAT5 cable that terminates to a power outlet is a good tool to have handy. Plug it in to the spot on the patch panel where the trouble user's connection is - they'll get the point after a couple of 'hardware failures' for their desktop.
Re: (Score:3, Insightful)
Normal business is when a virus spreads. Scanning for viruses is not a bad thing and performance should not trump security. This is called being pro-active which is ideal when dealing with computer security. Only scanning for virus's at night is call reactive, which is bad when dealing with computer security.
Also, the IT department is responsible for the network and security of the network. If they make a policy that no linux machines can be on the network then what is the issue? Tight control over com