How do I deny user to mount floppy, cdrom and usbstick ?
Robin Laing
Robin.Laing at drdc-rddc.gc.ca
Wed Feb 9 16:38:58 UTC 2005
Matt Morgan wrote:
> On Wed, 9 Feb 2005 14:22:17 +0100 (MET), Karl-Olov Serrander
> <kase at cntw.com> wrote:
>
>>Running FC2/FC3 in a sensitive environment we need to deny ordinary
>>users the possibilty to read or write floppy/cdrom/usbsticks.
>>
>>We need to be able to give som users/machines permissions to do nothing/read/write
>>floppy/cdrom/usbsticks.
>>
>>How can this be done ?
>
>
> Can you put the computers in locking cases? Sometimes that's the
> easiest/best way. For one thing, it's easy for a non-technical
> security guard to know when the security has been altered, so you
> don't have to be querying logs all the time.
>
> Otherwise, in addition to breaking removable devices in the OS, you
> might also want grub passwords, BIOS passwords, etc., because you'll
> have to prevent booting from CD's and floppies, too, to stop people
> from starting up a different copy of the OS. That can all be hard to
> keep track of.
>
> Depending on the sensitivity, it probably makes sense to turn off what
> you can in software, also, but do consider physical security as part
> of the broader solution. There are off-the-shelf cases that don't cost
> very much.
>
Or don't install the devices or connectors in the first place. If
there is a requirement for using one of these, then take the computer
back to "the shop". This is what we do.
For USB/IEEE ports on motherboards, fill with epoxy and they become
un-usable.
Physical control is much easier to control than any other method.
--
Robin Laing
More information about the fedora-list
mailing list