securing RHEL 5.x in a university lab setting
Stephen John Smoogen
smooge at gmail.com
Wed Jul 9 16:26:10 UTC 2008
On Wed, Jul 9, 2008 at 10:20 AM, Tim Mooney <Tim.Mooney at ndsu.edu> wrote:
>
> All-
>
> We've been running a lab of Linux workstations for our students for
> several years, and in the past I've felt pretty confident that we had
> the systems well-secured. I think it was easier in the past, though,
> because the systems weren't quite so "user friendly".
>
> I'm planning on kickstarting the lab with RHEL 5.2 in the next few weeks.
> With RHEL 5.x and the GNOME/KDE environment that comes with it and some
> of the newer components (e.g. HAL), I'm concerned that there may be new
> things that I need to do to prevent the lab users from being able to
> compromise the security of the systems. Having physical access to the
> systems always makes security more tricky...
>
> We're still doing all the basics (BIOS & grub passwords to control what
> can be booted, etc.). My primary new concern is with making sure that
> students can bring in media (USB sticks, CDs, etc.) and get it mounted
> without also being able to make use of setuid binaries they may have
> placed on the media they bring in.
>
> With that in mind, anyone have any good pointers for securing the
> graphical desktops and HAL against possible attackers with physical
> access? More generally, anyone know of a good guide or checklist
> for securing RHEL 5.x in a university lab?
>
Hi Tim
I haven't dealt with this in 2 years so I am off.. but there is a way
to tell hal that usb keys are mounted nosuid. [Actually i think that
is the default.. but I can't remember]. The CIS or NSA guides might
have the actual steps to do that.. sorry I can't help mroe.
--
Stephen J Smoogen. -- BSD/GNU/Linux
How far that little candle throws his beams! So shines a good deed
in a naughty world. = Shakespeare. "The Merchant of Venice"
More information about the redhat-sysadmin-list
mailing list