Re: Lockdown... Take 2

From: "Erick Woods" <erick gnomepro com>
To: "Matt Keenan" <Matt Keenan sun com>, <desktop-devel-list gnome org>
Subject: Re: Lockdown... Take 2
Date: Mon, 13 Oct 2003 10:40:35 -0500
On Mon, 13 Oct 2003, Matt Keenan wrote:
> Folks,
<SNIP>
> Please feel free to comment....

Thanks, I will.  Some random thoughts about lockdown follow.

A little background... I have been a systems/network consultant for many
clients in my area for the last decade. I was the IT Director for a large
national firm based in the area that had no less than 10 competitors within
a 10 mile radius, all trying to eat their lunch.

That said, I have a fair amount of experience with locking down systems for
various reasons, the most important of which are security due to competition
and the smooth operation of a consistant environment.

When it comes to the policies and methods that the windows environment
allows, people tend to find that it is a nightmare to administer.  The tools
(policy editor is one) are fine, but the implementation is flakey.

A consistant environment does not mean there is no variation.  It can and
should be done in a manner that you are able to have a global policy file
which can be overridden by the individual user policies.  One size does not
fit all and granularity is good here.

Calum posted a link to a spreadsheet that covers all options available to
windows admins.  That was perfect!  That should be the goal (or shoot even
higher).  Limiting it to certain subsets or predefined groups of settings
are not good.  In the many implementations of policies I have encountered,
each installation requires different things to be controlled.  What I gather
from Alex's email is some sort of shortcut to the granular approach of a
windows environment.  I may be wrong, but if I am not a mistake is being
made.

A few things which come to mind based on my experience with both windows and
GNOME follow.  They are just things that are a bit different rom the Windows
world and should be covered.  There are a lot more things that need to be
handled.
1. Locking down GDM completely.
   The average user and any corporate user that I would encounter has no
business messing with anything found in GDM settings.
2. Locking down panels.
   Users should be given a default panel arranged where the sysadmin and
other appropriate staff determine with a chosen set of icons and applets.
They should, in some cases, be allowed to add and delete other panels at
will, but this may not be true in all environments.
3. The desktop.
   This should be lockable.  If the settings are examined for this in the
spreadsheet that Calum referenced provides a good foundation for the
settings one would want on the desktop.  It needs to be flexible.

Matt mentions locking down gnome-terminal.  As *nix is a true multiuser
system and important stuff is protected, I see no reason for this.  Getting
around it would be a cakewalk for anyone with half a brain - {foot}, run,
xterm or run any number of apps with built-in consoles.  Wasted effort,
little or no benefit in my opinion.

In addition, he mentions locking down where a user can browse to.  If this
means which gnome-vfs uri's, fine, but beyond that, it should be left to
existing network tools.  One helpful thing might be to set a user's homepage
for their browser and not allow them to change it or ever leave it (corp.
intranet deal).

A sysadmin, in many cases, is not a programmer.  Alex suggested having them
dig in glade files and sources, but that wont work.  You can not possibly
expect a consultant for small businesses or an admin stuck in an
understaffed department to start hacking srcs or learning how to modify
stuff with glade and customizing the hell out of packages just to get
something disabled so that the customer/employer is happy and secure.  It is
best to follow the windows model in most cases, but do it a little better,
just like has been done with gconf.

In Windows, the use of the policy editor to create a .pol file for
distribution is great.  This should be emulated, unless a better way is
found.  A UI similar to gconf-editor would suffice.  Saving a policy file
and being able to distribute a single file easily would be ideal.  The ideal
should be achievable since this is in the beginning stages.

The implementation would be best if it were done as an xml file that
contains ALL possible settings.  Any xml editor could be used to modify them
and distribution would be incredibly easy - drop the file in /etc/gconf/ or
whereever.  Making per user adjustments could be done in the same manner.
Locking down anything I or TPTB want is essential to adoption of this
framework.  Seriously check out that spreadsheet and try to understand why
that stuff is there.  It's not crack.  There are reasons/cases for almost
everything you see in that document.

Now you have the $.02 of a real life Windows administrator, as Alex and
others have suggested.

Erick Woods
erick gnomepro com
http://www.gnomepro.com/
Follow-Ups:
- Re: Lockdown... Take 2
  - From: George Farris
References:
- Lockdown... Take 2
  - From: Matt Keenan
[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]