this post was submitted on 24 Jun 2023
26 points (90.6% liked)

Linux

48334 readers
603 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago
MODERATORS
 

I run a small business and would like to use Linux for its free naturet. Is there a way to lock down linux using software or a whole distro that would prevent people from doing pretty much anything other than opening a web browser similar to Windows or ChromeOS. I would use ChromeOS, had it not been made by Google as I am not super keen on using something made by big tech.

Edit: This would be for employees and is exclusively about endpoint security, mot enforcing staying on task.

top 32 comments
sorted by: hot top controversial new old
[–] [email protected] 19 points 1 year ago (1 children)

If you're looking for a pure kiosk experience check out porteus kiosk, it's a very stripped down distro that lets you choose Firefox or chrome and by default uses private browsing.

I'm sure if you need a whole desktop experience that's also possible but i don't know how

[–] [email protected] 1 points 1 year ago

Porteus is cool. I messed around with it when trying to set up an idiot proof browsing pc for a relative.

[–] [email protected] 15 points 1 year ago* (last edited 1 year ago) (3 children)

Would this locked-down distro be used by customers or by employees? If it is being used by employees, there is no faster way to be hated than putting unnecessary restrictions on their logins. You don't want that kind of workplace.

I simply do this:

  1. Make sure they don't get sudo/root privileges.

  2. Remote mount their home directories (nfs).

  3. Don't add any restrictions beyond that. It is a waste of time and money.

  4. Control the rest through company policy, usually clauses under the 'Misuse of company network' section.

  5. Who cares if employees are browsing tik-tok or whatever if they've done all their work? That's a work-allocation issue. If they haven't done all their work then that's already a solved problem. Either motivate them or performance manage them slowly towards the door.

  6. Who cares if they want to install xyz software [in their home directory]? Chances are it'll be a free boost for performance and/or morale.

[–] [email protected] 12 points 1 year ago (1 children)

All good points. Who the heck cares as long as your employees deliver their promised work on time?

I should add that you should however restrict data storage, mandate disk encryption, etc.

[–] [email protected] 4 points 1 year ago

Agreed. I manage both of these transparently beyond the employee's view. All the employee knows is that they have xyz free space to use on their profile.

[–] [email protected] 5 points 1 year ago

Who cares if they want to install xyz software [in their home directory]? Chances are it'll be a free boost for performance and/or morale.

This /really/ depends on your threat model. "xyz software in their home directory" could easily be "exfil tool that uploads all data employee X has access too, disguised as a meme template generator"

[–] [email protected] 2 points 1 year ago

I was more worried on the cybersecurity side rather than the work allocation issue.

[–] [email protected] 9 points 1 year ago

Back when internet cafés were still a thing, a common practice was to have a bunch of thin clients that would have no local storage and have them boot over the network. The environment would get wiped every time someone logged off.

You could do something similar. Cheap machines with no local storage. Bios settings that prevent any sort of booting from usb sticks and protect the bios with a password.

Projects like LTSP are designed for this.

You could boot the machines in a read only mode and just have the browser available. Perhaps also only allowing sharing of files through something like nextcloud where you could theoretically also lock down what type of files are allowed. Or at least be able to inspect the files that people are storing.

[–] [email protected] 6 points 1 year ago (1 children)

You will need to configure secure boot with your own keys, efistub and create a user with no sudo.

After that any selinux or apparmor distro will do.

What you are concerned about here is physical security so you will need to lock the bios, cut off the CMOS reset pins and probably solder the 3.3 battery.

[–] [email protected] 2 points 1 year ago
[–] [email protected] 6 points 1 year ago

I've found the gold standard to be the NCSC Guidelines. This covers everything around proper deployment of end user devices in an organization. https://www.ncsc.gov.uk/collection/device-security-guidance

They have clamp down configurations for Windows and Ubuntu, plus others. This is the Ubuntu page, but there'll be lots of cross over to other distros https://www.ncsc.gov.uk/collection/device-security-guidance/platform-guides/ubuntu-lts

Their security configuration packs are hosted on GitHub so you can vet them first if you want https://github.com/ukncsc/Device-Security-Guidance-Configuration-Packs

[–] [email protected] 6 points 1 year ago (1 children)

ChromeOS sucks... I think its the worst OS I ever used

[–] [email protected] 4 points 1 year ago

Almost agree, just Windows RT is worse.

[–] [email protected] 5 points 1 year ago (1 children)

I'm sure there's a better solution, but SELinux is an option. It can be difficult to customize, but it's capable of locking down the system entirely. You could theoretically block all actions taken by the user except for a select few mozilla_t actions and others necessary for login.

[–] [email protected] 5 points 1 year ago (1 children)

But how will they have time to learn SELinux and run a business?

[–] [email protected] 1 points 1 year ago

Haha. Yeah it takes time to learn how to do even the most basic things with it. Just how I would approach the situation

[–] [email protected] 4 points 1 year ago

I think avoiding ChromeOS is wise, that just puts Google in charge of your IT systems and leave you at the mercy of their data harvesting abomination of Linux loaded with proprietary software.

[–] [email protected] 4 points 1 year ago (1 children)

As long as you don't give the users sudo powers there is little they can do to screw up the system.

But that would only make sense if you want them to have their own users. If it's just a public computer, you probably want the kiosk thin mentioned before.

[–] [email protected] 1 points 1 year ago (2 children)

There's also the risk of users saving and distributing confidential data. You don't need admin rights for that! I'm not actually sure this applies to OP, but if he's giving everyone a web browser, it certainly seems like a risk.

[–] [email protected] 5 points 1 year ago (1 children)

A cell phone can save and distribute data.

He didn't say it was crazy confidential. I got the feeling it was more about keeping them from fucking around and breaking it.

[–] [email protected] 2 points 1 year ago
[–] [email protected] 4 points 1 year ago* (last edited 1 year ago)

If Snowden can exfiltrate data from the NSA, there is simply no way for your average employer to prevent this through computer restrictions. Effort in that direction is a total waste of money.

This is a company policy issue, enforced through non-disclosure agreements and, ultimately, the legal system.

[–] [email protected] 4 points 1 year ago

openSuse Aeon with a non-admin user. It's an immutable distro that uses Flatpaks for apps and automatically updates in the background. I use it on my laptop and it's great.

[–] [email protected] 2 points 1 year ago (1 children)
[–] [email protected] 1 points 1 year ago (1 children)

Good choice, just a little to sophisticated for a user coming from ChromeOS.

[–] [email protected] 1 points 1 year ago

My apologies for the miscommunication; I wasn’t coming from ChromeOS, I was skating it as the only viable alternative, though undesirable.

[–] [email protected] 2 points 1 year ago
[–] [email protected] 2 points 1 year ago

Fedora Silverblue is locked down desktop linux

https://fedoraproject.org/silverblue/

[–] readwallah 2 points 1 year ago

LiveCD? Take a look at that as a number of distributions give you a read only experience.

[–] [email protected] 1 points 1 year ago

Ngl I know you don’t want to use big tech but I think chromeOS is probably your best bet.

[–] [email protected] -2 points 1 year ago

I’m a huge proponent of Linux but unless your business is locking down linux you’re better off getting an off-the-shelf OS that’s simple to maintain so you can make money with your core business. ChromeOS is your best bet.

[–] [email protected] -4 points 1 year ago

You don't want to do this.

load more comments
view more: next ›