How about if you disable user reboot and shutdown? Then you could replace the power button with a key switch.
Announcement
Collapse
No announcement yet.
Offtopic (split from ...data offline from live CD)
Collapse
This topic is closed.
X
X
-
Tags: None
- Top
- Bottom
-
Pan-Galactic QuordlepleenSo Long, and Thanks for All the Fish
- Jul 2011
- 9524
- Seattle, WA, USA
- Send PM
Attack: enter sudo reboot in a console window
Defense: disallow sudo and su
Attack: Remove and re-insert the power cord
Defense: Tamper-resistant power cabling (no socket in back of PC, no socket in wall)
Attack: Use Alt+SysRq+R+S+E+I+U+B to reboot the computer without needing to be root
Defense: Put echo 0 > /proc/sys/kernel/sysrq in /etc/rc.local to disable Magic SysRq keys
and so on
aanndd ssoo oonn
aaaannnndddd ssssoooo oooonnnn
- Top
- Bottom
-
Well the first one (sudo) just a good password and not being in the sudo users group would prevent that. Besides, you could block Konsole and re-direct crtl-alt-fX or close the ttys.
I'm going to drag this out until your head explodes...
- Top
- Bottom
Comment
-
Pan-Galactic QuordlepleenSo Long, and Thanks for All the Fish
- Jul 2011
- 9524
- Seattle, WA, USA
- Send PM
Attack: Attach a FireWire device (if the computer has a port) -- unlike USB, FireWire does direct memory access and can take control of the hardware
Defense: Disable FireWire in firmware settings or blacklist the kernel module
Attack: Press Alt+F2 and enter dbus-send --system --print-reply --dest=org.freedesktop.ConsoleKit /org/freedesktop/ConsoleKit/Manager org.freedesktop.ConsoleKit.Manager.Restart
Defense: Disable KRunner, or the ability to (1) run commands and (2) change the KRunner configuration
We could keep going
The overarching point is this: if you have to work so hard to cover all the myriad ways people will try to circumvent your policies, then maybe you've hired the wrong people. If you're so worried that someone will install an alternate operating system, you should stop thinking about your employees as adversaries and instead find out if they're missing criticial tools necessary to do their jobs.Last edited by SteveRiley; May 31, 2014, 06:22 PM.
- Top
- Bottom
Comment
-
Originally posted by SteveRiley View PostThe overarching point is this: if you have to work so hard to cover all the myriad ways people will try to circumvent your policies, then maybe you've hired the wrong people. If you're so worried that someone will install an alternate operating system, you should stop thinking about your employees as adversaries and instead find out if they're missing criticial tools necessary to do their jobs.
- Top
- Bottom
Comment
-
I will try to be serious about this, here is my real life solution. Don't boot from the HD, boot from USB or CD. The HD is just used for file storage. If your OS is on CD, it would remain untouched 100%. USB would be read/write, but in most cases these media will boot slower than a HD. If I were in fear of someone replacing the OS, the best option would be to keep the OS on your person. The PC drive could not boot without a boot sector.
I am no expert but it seems like a simplistic solution to just pop in a CD or USB and boot the machine.
- Top
- Bottom
Comment
-
If one really and truely wanted to protect against the cases the OP has defined, and the business is open to the idea (and possible added expense), install the desired OS, configured just the way they want, to a server and replace all the PCs with client terminals and monitors. No USB ports. No HDDs. No floppy, CD/DVD drives. No Firewire ports.Windows no longer obstructs my view.
Using Kubuntu Linux since March 23, 2007.
"It is a capital mistake to theorize before one has data." - Sherlock Holmes
- Top
- Bottom
Comment
-
Pan-Galactic QuordlepleenSo Long, and Thanks for All the Fish
- Jul 2011
- 9524
- Seattle, WA, USA
- Send PM
Originally posted by Snowhog View PostIf one really and truely wanted to protect against the cases the OP has defined, and the business is open to the idea (and possible added expense), install the desired OS, configured just the way they want, to a server and replace all the PCs with client terminals and monitors. No USB ports. No HDDs. No floppy, CD/DVD drives. No Firewire ports.
Originally posted by Simon View PostI will try to be serious about this, here is my real life solution. Don't boot from the HD, boot from USB or CD. The HD is just used for file storage. If your OS is on CD, it would remain untouched 100%. USB would be read/write, but in most cases these media will boot slower than a HD. If I were in fear of someone replacing the OS, the best option would be to keep the OS on your person. The PC drive could not boot without a boot sector.
There are really only two solutions here:
1. Remote desktop, as Snowhog writes.
2. Hardware-based attestation and root-of-trust using a TPM, as I described in post #14.
- Top
- Bottom
Comment
-
So it boils down to what you said Steve, you need some avenue of trust with your employees. I am glad Frank and I run a relaxed working atmosphere at the clinic. We don't bark at our staff for playing games at work. For example, Cindy is working the front desk and I can see that between patients she is on Facebook or playing a game. I really could care less as long as it relaxes her and she can get her work done. I really don't need a crab ass greeting people at the front. lol
I would never expect anyone to work in an environment that cannot trust each other to do their job. At lunch we usually stay in and order takeout, so a lot of us like to jump on a game. I hit Kongregate or something like that at lunch. BTW I almost forgot. We are running Linux in the office now, Frank and I set all the office PCs up to use it. A few people came in last month and was thinking they would have to relearn. But we have everything set up and no complaints. Best of all, zero downtime so far. However I lost out on installing Kubuntu, Frank convinced me that Debian with the Gnome GUI (I think) is more Windows user friendly to assimilate. But you guys know I am still loyal to my Kubuntu as my employees and coworkers are loyal to me.
- Top
- Bottom
Comment
-
Pan-Galactic QuordlepleenSo Long, and Thanks for All the Fish
- Jul 2011
- 9524
- Seattle, WA, USA
- Send PM
GNOME Shell (in GNOME 3.x) is about as opposite from Windows as you can imagine. Are you sure the DE that Frank picked is that one? The older GNOME 2.x is sort of Windowsish, but it is no longer under maintenance.
TBH, if the goal is to replicate a Windows experience, KDE is the best choice.
Oh, and hello from AA 2411 at 39,000 feet, enroute DFW to SFO! Yes, I'm posting this purely because I can Ain't technology grand?
Last edited by SteveRiley; Jun 06, 2014, 10:27 PM.
- Top
- Bottom
Comment
-
I can't see you. Open the door and "wave".Windows no longer obstructs my view.
Using Kubuntu Linux since March 23, 2007.
"It is a capital mistake to theorize before one has data." - Sherlock Holmes
- Top
- Bottom
Comment
-
Pan-Galactic QuordlepleenSo Long, and Thanks for All the Fish
- Jul 2011
- 9524
- Seattle, WA, USA
- Send PM
-
I am getting ready to head for work, but here is the info Frank gave me.
Linux Debian 6.0.9
Kernel 2.6.32-5-686
Gnome 2.30.2
Now before you go telling me we could do better, I doubt even one machine in the office has a dual core or more. In fact, I seem to recall the best machine we got donated to us was an Intel 32 2Ghz with 1GB or so of RAM. But it is not like we spent any of our funding on this, the university gave us bonus points for that small feat alone. Frank and I feel this is a victory. It works and that is what really matters eh? Money well not spent.
- Top
- Bottom
Comment
-
Pan-Galactic QuordlepleenSo Long, and Thanks for All the Fish
- Jul 2011
- 9524
- Seattle, WA, USA
- Send PM
- Top
- Bottom
Comment
-
Originally posted by Snowhog View PostIf one really and truely wanted to protect against the cases the OP has defined, and the business is open to the idea (and possible added expense), install the desired OS, configured just the way they want, to a server and replace all the PCs with client terminals and monitors. No USB ports. No HDDs. No floppy, CD/DVD drives. No Firewire ports.
What exactly is a client terminal & monitor? I'd imagined them as really low powered PCs that can SSH to the server, but based on your description that can't be right! What's the physical connection between it and the server?
- Top
- Bottom
Comment
Comment