Security


I just found Sander van Vugt’s comprehensive article on TechTarget about how to configure and manage SLED desktops using just GNOME’s management features, it’s a good read and helps demystify some features of GNOME, such as:

  • Changing the Desktop Settings
  • Using the Desktop Profile Editor
  • Locking Down the Desktop

Enjoy,

RossB

Advertisements

Are you using Faronics Deep Freeze product to prevent users from adding to your IT helpdesk calls?  The product “freezes” the OS such that any changes (good or bad) being made to that computer (from say curious users or viruses) can easily be wiped out, and a clean OS state can be easily restored.  Used in places such as classrooms, labs, kiosks, or any other location with “at risk” devices.  Learn more about Deep Freeze here and here.

Formerly only available on Windows, the company announced that its Deep Freeze Linux product is now available.  It is currently only supported on SUSE Linux Enterprise Desktop.  Read the press release here (pdf).

The Novell Courseware Team has released Course 3068, Migrating to SUSE Linux Enterprise Server 10 for free.  You can download the kit and print the manuals out, but it’s not for reselling or further distribution.  This outstanding offering covers how to migrate from Red Hat Enterprise Linux to SUSE Linux Enterprise 10, and incorporates not only that team’s materials, but a lot of feedback from us in the field, all of which was taken into account, the result being a great course.

This is no puff piece that’s just out there so they could claim it existed, this is seriously useful material for the sysadmin in the trenches doing these tasks.  The list of topics the course covers are:

  • Installing SUSE Linux Enterprise Server 10
  • Using YaST
  • Configuring the Network
  • Managing the Linux File System
  • Managing System Initialization
  • Configuring Mail and Web Services
  • Using AppArmor
  • Managing Virtualization with Xen
  • Configuring iSCSI
  • Understanding Cluster File Systems

The course is available either as a free download, or you can use the course finder to locate an Instructor-Led version of the course.  If you are like me, you can study the download version and if you can make it to a class, then do so, but this is essentially a class-in-a-can, some assembly needed.  You can download the courseware kit, it includes:

  • Migrating from RedHat to Suse Linux Enterprise Sever 10 Student Manual
  • Migrating from RedHat to Suse Linux Enterprise Sever 10 Student Workbook
  • Course materials ISO file (for burning to a DVD)

The team thoughtfully includes a number of items on the DVD iso, including the manuals, Acrobat Reader for Windows and Linux, various setup instructions for a bare-metal lab system and two VMWare virtual machines for use with a virtualized lab system (ie: your spouse will shoot you if you blow away the kid’s Windows PC and install SLES 10 on it).

As a surprise bonus, they included a slightly older whitepaper by yours truly and a few team-mates as Appendix C.  It’s a whitepaper that I came up with as a way to show people how to do what this course now does, and includes some very useful tables and other side-by-side comparisons that will help you accomplish the migration.

Enjoy,

RossB

WOW, I want one of these. A company from France by the name of Calao Systems has come up with a complete Linux PC that fits into a slightly bulky USB Key form factor. Measuring 3.3×1.4 inches and sporting an ARM Processor, 256MB RAM, an Ethernet port and 2 USB ports, it also has a 50 pin expansion port.

Talk about your awesome Cyber-cafe security tool, you’d know no one was snooping on you if you booted their computer with your own version of Linux (SUSE, of course!) from a USB key that looks like this one:

Of course there are distributions of Linux that will FIT on a USB Key, but so far this is the smallest Linux PC I have seen.

RossB

Novell has done a lot of work to expand the the use cases for SUSE Linux Enterprise Desktop. Today SLED can be deployed in a number of ways from a fully locked down kiosk to a full blown laptop for general knowledge workers. Locked down environments are particularly useful in thinclient computing models.

One of the most compelling reasons to deploy SLED over a proprietary desktop is the ability to lock it down at a very granular level. This means that you have the ability to lock down desktops so that EVERYTHING is locked down, or just a few things.

There are a number of tools included in SLED to lockdown the desktop. In this article we’ll discuss how to manually lockdown the desktop using:

  • Gconf
  • Permissions and groups
  • Removal of programs and modules
  • Configuring files/settings

GConf is a system used by the GNOME desktop environment for storing configuration settings for the desktop and applications. Each user has a .gconf directory stored in their home directory that stores their individual settings. There is also a global gconf directory located in /etc/opt/gnome/gconf/. Administrators can mark settings as “default” or prevent users from changing the settings by marking them as “mandatory”.

There are several lockdown options stored in GConf. There are two great tools to configure GConf keys, gconf-editor and gconftool-2.

  • gconf-editor (/opt/gnome/bin/gconf-editor) is a graphical tool that allows you to change local gconf keys or set global mandatory/default keys.
    • To set a key as mandatory or default, open gconf-editor as root, navigate to the key you want to set, right click on it and choose to set as mandatory or default.
    • You can search for gconf keys by going to the edit menu and choosing “find”.
  • gconftool-2 (/opt/gnome/bin/gconftool-2) is a command line tool which allows you to modify gconf settings. It be used in creating a script to lockdown desktops as part of an automated/scripted deployment.  Gconftool-2 is also very useful when writing scripts to build and lockdown KIWI based images.  Listed below is an example of the syntax for changing a key which has a boolean key:
    • gconftool-2 –direct –config-source xml:readwrite:/etc/opt/gnome/gconf/gconf.xml.mandatory –type bool –set /apps/metacity/general/reduced_resources true
    • Here is the syntax for setting a string gconf key:
    • gconftool-2 –direct –config-source xml:readwrite:/etc/opt/gnome/gconf/gconf.xml.mandatory –type string –set /apps/metacity/window_keybindings/begin_resize disabled
    • Note how both keys being modified are in the gconf.xml.mandatory directory. To make a key default rather than mandatory switch gconf.xml.mandatory to gconf.xml.defaults.

GConf Schema is broken down into 5 main categories: apps, desktop, schema, schemas, and system. As far as lockdown is concerned the main categories of interest are apps and desktop. Listed below are some important gconf keys which you can modify to customize and lockdown your desktops. Remember that these keys can be set as default or mandatory for users.

  • /apps/gnome-screensaver/idle_activation_enabled –This will force the screen saver to come on when the session is idle
  • /apps/gnome-screensaver/idle_delay –The number of minutes of inactivity before the session is considered idle.
  • /apps/gnome-screensaver/lock_enabled –Set this to TRUE to lock the screen when the screensaver goes active.
  • /apps/nautilus/preferences/show_desktop –If set to true, then Nautilus will draw the icons on the desktop. If false the user will not be able to interact with the file system through the Desktop.
  • /apps/panel/global/locked_down –If true, the panel will not allow any changes to the configuration of the panel. Individual applets may need to be locked down separately however. The panel must be restarted for this to take effect.
  • /desktop/gnome/applications/main-menu/lock-down/search_area_visible –set to true if the search area should be visible and active.
  • /desktop/gnome/applications/main-menu/lock-down/user_modifiable_apps –set to true if the user is allowed to modify the list of user-specified or “Favorite” applications.
  • /desktop/gnome/background/picture_filename –File to use for the background image
  • /desktop/gnome/lockdown/disable_command_line –Prevent the user from accessing the terminal or specifying a command line to be executed. For example, this would disable access to the panel’s “Run Application” dialog.
  • /desktop/gnome/lockdown/disable_printing –Prevent the user from printing. For example, this would disable access to all applications’ “Print” dialogs.
  • /desktop/gnome/lockdown/disable_print_setup –Prevent the user from modifying print settings. For example, this would disable access to all applications’ “Print Setup” dialogs.
  • /desktop/gnome/lockdown/disable_save_to_disk –Prevent the user from saving files to disk. For example, this would disable access to all applications’ “Save as” dialogs.
  • /desktop/gnome/remote_access/ –There are a number of settings in this directory for configuring remote access through vnc.

There are many other useful keys and some new ones we have introduced in SLED 10 SP1. I suggest that you spend some time browsing through gconf with gconf-editor. Each key has a “description” associated with it that will give you some info on what it does.

Permissions and Groups is another useful way of locking down Desktops. You can modify permissions on particular applications so that only users who are in a specific group can have access to it. In the example Below I show you how to change permissions on Firefox and GnomeTerminal so that user1 can use firefox and gnome-terminal, but user2 can only use gnome-terminal.

#Here I create two groups
groupadd gnometerminal -g 203
groupadd firefox -g 204

#Here I assign local users to the appropriate group or groups
usermod user1 -A gnometerminal,firefox
usermod user2 -G gnometerminal

#Here I change the ownership of the applications to lock out others from accessing it and changing it.
chown root:firefox /usr/bin/firefox
chown root:gnometerminal /opt/gnome/bin/gnome-terminal

#Here I change the permissions of the applications to lock out others from accessing it and changing it.
chmod 754 /usr/bin/firefox
chmod 754 /opt/gnome/bin/gnome-terminal

Another way to lock down the system is by removing components. The easiest way to prevent users from using certain applications is by not installing them in the first place. You can remove applications by using the YaST software management module or by using the rpm -e command.

You can further lockdown the system by removing certain kernel modules. By removing the following module you can prevent the system from recognizing USB mass storage devices (like flash drives, usb drives, iPods etc.), but still use USB keyboards and mice.

/lib/modules/2.6.16.46-0.12-smp/kernel/drivers/usb/storage/usb-storage.ko (you can use the uname -r command to determine which version of the kernel you’re using).

While you can use gconf to prevent users from getting to terminals installed on the system you need to configure /etc/X11/xorg.conf to prevent access to virtual terminals. In the “ServerLayout” section add the following lines to prevent users from switching to a virtual terminal and to prevent them from killing X by typing ctrl-alt-backspace:

Option DontVTSwitch True
Option DontZap Yes

This article only shows a small subset of the lockdown functionality of SUSE Linux Enterprise Desktop, but it should get you well on your way. Have a lot of fun!

CRN recently conducted weeks of testing to compare Windows Vista and Windows XP for security features, and found interesting results.  Researchers found Vista had “marginal security advantages over XP”, and “Vista remains riddled with holes, despite its multilayer security architecture and embedded security tools.”

The tests included vulnerability comparisons for:

  • Viruses
  • Spyware/Malware
  • Trojans
  • Remote Data Exploits
  • Flaws in Images
  • Spoofing
  • Scripting

While sometimes the CRN report is a tad harsh, it does strip bare the lofty claims of Vista’s much-improved security through wizards, check-boxes and agents.   Too bad we couldn’t get a SLED ad on those pages, to give everyone hope!

The report concludes: “… both the Vista and the XP test notebooks were almost equally damaged by viruses, trojans and other malware.  And because most of the Web sites in the test were able to exploit Vista’s weaknesses, Internet users are just about equally vulnerable with both OSes”.

The CRN report can  be found here.

RossB

In a world where even SSH seems like it’s not enough, enter SBD. Yeah, it’s the same initials as something that we all said as kids, but it really refers to System Back Door.

SBD is an ultra-secure service that relies on the SBD protocol, one-time pad’s and the HMAC authentication routine to verify what you’re sending to it.

Effectively, it allows you to encrypt a single command that is sent to the server based on completely random and identical files on both systems, making it easy to send a wake-up call to an SSH server or other service with an almost-unbreakable one-time encrypted command.

After using the service on demand, you can then disable it with another SBD-secured command, or have the service disable itself automatically via scripting.

Linux.com has a great article about this, including make instructions for those who find they will need this additional security measure. The SourceForge project page, while, ahem, somewhat terse, is helpful too.

Enjoy,

RossB

« Previous PageNext Page »