securing RHEL 5.x in a university lab setting

Wed Jul 9 16:41:27 UTC 2008

Tim,

Once you give someone physical access to a box, the sky is the limit, unless
you're boxes will have full disk encryption. Savvy users will always find
ways to bypass your security controls. The question is, what is your risk
tolerance? The answer that question should drive the effort you will put
into securing those workstations.  That said, here are a couple of guides I
have used in our corporate environment to secure RHEL servers:

http://www.nsa.gov/snac/os/redhat/rhel5-guide-i731.pdf

http://www.cisecurity.org/tools2/linux/CIS_RHEL5_Benchmark_v1.1.pdf

If you have the option, my suggestion would be to run Xen virtual machines
and save a vanilla snapshot with all your desired settings. Let your
students do pretty much whatever they want and restart the workstations
every time someone logs off, in order to restore the vanilla snapshot every
time. This will give you the most secure option in my opinion.

Regards,

Enils Bashi, RHCE, CISSP
Sr. Security Engineer\Information Technology Group

F T I 
410.571.7003 direct

906 Commerce Road
Annapolis, MD 21401
www.fticonsulting.com

Confidentiality Notice:
This email and any attachments may be confidential and protected by legal
privilege. If you are not the intended recipient, be aware that any
disclosure, copying, distribution or use of the e-mail or any attachment is
prohibited. If you have received this email in error, please notify us
immediately by replying to the sender and then delete this copy and the
reply from your system. Thank you for your cooperation.

-----Original Message-----
From: redhat-sysadmin-list-bounces at redhat.com
[mailto:redhat-sysadmin-list-bounces at redhat.com] On Behalf Of Tim Mooney
Sent: Wednesday, July 09, 2008 12:21 PM
To: redhat-sysadmin-list at redhat.com
Subject: securing RHEL 5.x in a university lab setting

All-

We've been running a lab of Linux workstations for our students for
several years, and in the past I've felt pretty confident that we had
the systems well-secured.  I think it was easier in the past, though,
because the systems weren't quite so "user friendly".

I'm planning on kickstarting the lab with RHEL 5.2 in the next few weeks.
With RHEL 5.x and the GNOME/KDE environment that comes with it and some
of the newer components (e.g. HAL), I'm concerned that there may be new
things that I need to do to prevent the lab users from being able to
compromise the security of the systems.  Having physical access to the
systems always makes security more tricky...

We're still doing all the basics (BIOS & grub passwords to control what
can be booted, etc.).  My primary new concern is with making sure that
students can bring in media (USB sticks, CDs, etc.) and get it mounted
without also being able to make use of setuid binaries they may have
placed on the media they bring in.

With that in mind, anyone have any good pointers for securing the
graphical desktops and HAL against possible attackers with physical
access?  More generally, anyone know of a good guide or checklist
for securing RHEL 5.x in a university lab?

Thanks,

Tim
-- 
Tim Mooney                                             Tim.Mooney at ndsu.edu
Enterprise Computing & Infrastructure                  701-231-1076 (Voice)
Room 242-J6, IACC Building                             701-231-8541 (Fax)
North Dakota State University, Fargo, ND 58105-5164

--
redhat-sysadmin-list mailing list
redhat-sysadmin-list at redhat.com
https://www.redhat.com/mailman/listinfo/redhat-sysadmin-list
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7443 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/redhat-sysadmin-list/attachments/20080709/777314d7/attachment.bin>