LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   What is the best way to restraint/secure a workstation ? (http://www.linuxquestions.org/questions/linux-security-4/what-is-the-best-way-to-restraint-secure-a-workstation-931018/)

igor012 02-24-2012 04:16 AM

What is the best way to restraint/secure a workstation ?
 
Hello,
I want to prevent users to copy on usb devices and some others actions.
I was thinking of using polkit. Do you think it is a good solution or does someone know some alternatives ?

Thank you

unSpawn 02-24-2012 11:06 AM

Quote:

Originally Posted by igor012 (Post 4610850)
I want to prevent users to copy on usb devices

Can I ask you for your reasons why?


Quote:

Originally Posted by igor012 (Post 4610850)
and some others actions.

What?


Quote:

Originally Posted by igor012 (Post 4610850)
I was thinking of using polkit. Do you think it is a good solution or does someone know some alternatives ?

Create a policy that denies any computer user from copying data on removable media or transferring data in unauthorized ways + disable parallel, SCSI, USB, Firewire, eSATA, PCMCIA and other such ports in the BIOS of each and every computer + physically lock those ports on each and every computer + disable all related modules from loading + enable auditing to track any violations + have all personnel searched ;-p If this is unmanageable then you must make it manageable. If you can't then, reasoning the other way around, one can say your data evidently is not worth such measures ;-p.

* BTW, if you were thinking about ways data gets off premises you might find this thread interesting.

igor012 02-29-2012 04:41 AM

I want to prevent people from copying data (usb and cd/dvd)

It's been required by my company's clients to match with their own security policies.

allend 02-29-2012 07:57 AM

There is always the physical solution. Remove optical disk writers and fit computer case locks to prevent reinstallation as well as hard drive removal. Fill the usb ports with epoxy.

To be more confident, remove networking devices and network connection points.

More sensitive data may require that you:
Ban the use and possession mobile computing devices such as laptops and mobile phones.
Ban the use of portable recording devices such as pencils and paper.
Require staff to work naked. Mascara and lipstick on skin is a potential low bandwidth copying technique.
Employ security to monitor and enforce restrictions.

More extreme measures that can be considered:
Train all staff to forget everything after a finite time, at a maximum the time needed to leave the workstation and get out the nearest exit.
Turn off all power.
Regularly disinfect with an EMP device.

If your life depends on this, give up. The concept of privacy is so last century. Just ask Google.

igor012 02-29-2012 08:08 AM

clever

allend 02-29-2012 08:56 AM

I wanted to underline the point that a software solution can only take so far.
You have not provided enough detail about your circumstances to provide full advice. If you have all Linux machines, then not allowing users access to plug devices by group permissions is possible. Removing the code that allows optical disks to be written is possible.
However, this would not stop someone from plugging a laptop into your network and copying the data.
The history of security shows that users will find ways around the barriers if it interferes with their ability to get the their work done.

igor012 02-29-2012 10:04 AM

Hi,
You could have chosen another way to explain your point of view. Lack of details wasn't worth such sarcasm.

I'm trying to set what I was asked: policies to secure workstations. no usb drive/cd copy on openSUSE 12.1.

Regards,

allend 02-29-2012 06:04 PM

Quote:

If you have all Linux machines, then not allowing users access to plug devices by group permissions is possible. Removing the code that allows optical disks to be written is possible.
Exactly how hard did you try to find this information?

Disabling usb storage devices. http://tcs-security-blanket.blogspot...-opensuse.html

To prevent optical disk writing, remove cdrtools and dvd+rw-tools.

igor012 03-01-2012 02:40 AM

Thanks


All times are GMT -5. The time now is 02:43 AM.