Art Ross said: > Does anyone know of a way to lock down Linux desktop? I have a friend who > wanted to > know if Linux could be locked down similar to Windows NT & Windows 2K.
linux is lightyears more "lockable" then any MS system. Though it can take a bit of work to setup depending on what your trying to do. Linux isn't alone in this regaurd though, this pretty much applies to any unix. About a year and a half ago I setup a solaris 8 system that had to allow anonymous users access to CDE from the internet. Took several days to fully secure, with a host-based firewall, automated scripts to check/repair permissions, delete & re-create home directories, and test. But it is solid as a rock(and still runs today). by contrast, we had win32 systems(NT and 2000) which had to allow anonymous access to MS word, excel and a few other apps via the internet as well. I don't know if it was the admin who set them up, but they were repeatedly compromised. They tried installing group policies and such but the end result wasn't very effective(they had to lock out everyone including administrator for some reason). During some tests I was able to setup an anonymous ftp on one of my home servers, drag & drop executables to the remote system's disk and execute programs. Kinda funny that MS word provides full access to IE, and even a seemingly locked down IE it was pretty easy to bypass (and I haven't used much MS stuff since '99). The admin of the win32 systems was my co worker, and had a good deal of knowledge about MS systems, and worked in an office with a dozen win32 developers(including kernel developers), so he's not some idiot off the street. Though he may not be as good at win32 as some of the experts out there. only downside to my solaris locking was that when I next installed a patch cluster the machine kernel paniced on boot, took about 30 minutes to fix though. I guess I flipped one or 2 too many switches :) (I even removed suid bits from every program on the system except the 2 that required it, normal users could not load a shell, not run ls, cd or mkdir or cp or mv etc.) Took a lot of testing since CDE has a TON of dependencies. Same for staroffice, acrobat reader, netscape, openwindows etc. having ipf running on the box helped too, all outbound traffic was blocked except for a few ips(local DNS, local webserver, a few websites so users could use netscape). so in short, yes you can lock a linux box down tighter then most.. BUT, it can take a good amount of knowledge and experience to do it(once it's done it's easy to mirror the enviornment to other systems). But with the problems my co worker had locking down his systems I think it's probably easier since unix/linux is more transparent(easier to see whats going on). nate -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
