Linux Desktop with Citrix Client

athreyavc · 11-09-2009, 08:37 AM

Hi All,

We are planning to deploy linux on all the desktops in our organization with Citrix client.

We are able to install the citrix client and connect to the remote server too.

But my queries are as below,

If we deploy linux desktop what is best distribution I should look for. It should be free( I have done the testing on the Fedora Core 11 and it runs smooth)

How much customization I should do? Ideally the users must only use Firefox nothing else. They connect to citrix servers and work there.

If anyone has done a large deployment of linux desktops please help me.

I Understand this question is generic, but I will take motivation from your replies.

Regards,

Athreya

kbp · 11-09-2009, 06:23 PM

It doesn't really matter that much as long as you use a current distro.. in regards to locking down the desktop you could go with KDE in kiosk mode, there's an admin gui available here as well:

http://extragear.kde.org/apps/kiosktool/

cheers

athreyavc · 11-20-2009, 05:24 AM

Hi,

Thanks for the reply.

I have completed the Citrix 9.0 client with Fedora Client. It works well.

Also, I have openoffice which I am using as a substitute, basically if there is a need to work from the local machine may be sometimes.

I have also tested the working of the Ekiga , it is connecting to Asterik server and talking to Xlite extensions on the windows machines

Overall seems a nice setup.

The boot time with fedora 11 observed is 50 seconds.

Are the OS, openoffice, ekiga all are free for me ?

I am using fedora 11.

And what are the security considerations I may need to take ? As per now, I have disabled the telnet, SSH

Regards,

Athreya

kbp · 11-20-2009, 06:42 AM

They are all open source... lockdown may take a little practice/trial and error, I suggest you build a test host specifically for this. Let me know once you have a test machine and I'll provide some of the hardening from kickstart scripts that I use. You will need to test very thoroughly after locking down to ensure that everything works as expected

cheers

athreyavc · 11-23-2009, 12:47 AM

Hi,

Thanks for the reply.

The locking happens with Fedora 11 by default. I am using GNOME. And as we are connecting to citrix servers (Windows servers we will access from the citrix) , i feel no need lock the local machine.

Local machine is not in any domain, instead it will receive only IPs and we connect to the citrix servers. So, if a local machine is unlocked also nothing much is lost as far as the data is concerned and security.

What I am now concerned is reducing the boottime and Hardening the system. I have not really gone to the internal of the system yet,

But please help me with the hardening

Thanks again for your support, it gives me lot of motivation go further.

Regards,

Athreya

chrism01 · 11-23-2009, 06:19 PM

I'd like to point out that Fedora is Redhat's R&D distro, with a new version every 13 mths and only the current and prev versions supported. It's a bit bleeding edge.
For long term support/stability (especially for a business env) try Centos (free version of RHEL).

Quote:

The seven year life cycle for a major release of Red Hat Enterprise Linux is divided into three phases.

http://www.redhat.com/security/updates/errata/

Admin manual: http://www.linuxtopia.org/online_boo...ion/index.html

kbp · 11-23-2009, 07:42 PM

Hardening stuff:

Code:

# openssh:
cat << EOF >> /etc/ssh/sshd_config
Protocol 2
ClientAliveInterval 600
ClientAliveCountMax 0
IgnoreRhosts yes
HostBasedAuthentication no
PermitRootLogin no
PermitEmptyPasswords no
X11Forwarding no
Banner /etc/issue.net
EOF

# Set SELinux mode
perl -pi -e 's/^SELINUX=.*$/SELINUX=permissive/' /etc/selinux/config

# Configure mlocate to act like slocate - users will not be able to locate files
# they dont have permissions to see
perl -pi -e 's?^/usr/bin/updatedb.*?/usr/bin/updatedb -l 1 -f "\$nodevs"?' /etc/cron.daily/mlocate.cron

#Configure tcp wrappers host access to a mostly closed access policy.
cat <<EOF >> /etc/hosts.allow
ALL:localhost
sshd:ALL
EOF
cat <<EOF >> /etc/hosts.deny
ALL: ALL: spawn echo \$\(date\) denied %d
EOF

# Setup password policy.
perl -pi -e "s/PASS_MAX_DAYS.*$/PASS_MAX_DAYS 90/" /etc/login.defs
perl -pi -e "s/PASS_MIN_DAYS.*$/PASS_MIN_DAYS 7/" /etc/login.defs
perl -pi -e "s/PASS_WARN_AGE.*$/PASS_WARN_AGE 28/" /etc/login.defs
perl -pi -e "s/PASS_MIN_LEN.*$/PASS_MIN_LEN 6/" /etc/login.defs

# Disable core dumps and increase open files
cat << EOF >> /etc/security/limits.conf
* - core 0
* - nofile 8192
EOF

# Set daemon umask
cat << EOF >> /etc/sysconfig/init
umask 027
EOF

# Disable interactive boot
perl -pi -e 's/^PROMPT=yes/PROMPT=no/' /etc/sysconfig/init

cat << EOF >> /etc/sysctl.conf
fs.suid_dumpable = 0
kernel.exec-shield = 1
kernel.randomize_va_space = 1
EOF

# Restrict root login to console
cat << EOF > /etc/securetty
console
tty1
tty2
tty3
tty4
tty5
tty6
EOF

# Limit su to root access to members of wheel
sed -i 's/^#\(auth.*req.*wheel.*$\)/\1/' /etc/pam.d/su

cat << EOF >> /etc/sudoers
%wheel  ALL=(ALL)       ALL
EOF

# Block shell and login access for non-root system accts
for NAME in $(cut -d: -f1 /etc/passwd)
do
  if [ "$(id -u $NAME)" -lt 500 -a "$NAME" != 'root' ]
  then
    usermod -L $NAME
    usermod -s /sbin/nologin $NAME
  fi
done

# Lock accts with empty passwords
for NAME in $(awk -F: '($2 == "") {print $1}' /etc/shadow)
do
    usermod -L $NAME
done

# Set users umask
cat << EOF >> /etc/profile
umask 077
EOF

perl -pi -e 'if ($. == 9) {s/^umask.*/umask 077/}' /etc/bashrc
perl -pi -e 'if ($. == 7) {s/^umask.*/umask 077/}' /etc/csh.cshrc

perl -pi -e 's/^UMASK.*/UMASK   077/g' /etc/login.defs

# Set roots umask
for FILE in /root/.bashrc /root/.bash_profile /root/.cshrc /root/.tcshrc
do
    echo "umask 077" >> $FILE
done

# Require password for single user
cat << EOF >> /etc/inittab

# Require password for single user
~~:S:wait:/sbin/sulogin
EOF

#-------------------------------------------------------------------------------
# Network hardening:: Non-firewall/gateway system
#-------------------------------------------------------------------------------
cat << EOF >> /etc/sysctl.conf

# Additional hardening as per NSA RHEL5 guide
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_messages = 1
net.ipv4.conf.all.rp_filter = 1
EOF

# Harden permissions on cron dirs
chmod -R go-rwx /etc/cron.hourly /etc/cron.daily /etc/cron.weekly /etc/cron.monthly

cat << EOF > /etc/cron.allow
root
EOF

echo root > /etc/at.allow
chmod 400 /etc/{cron,at}.allow
chmod 400 /etc/crontab

rm -f /etc/cron.deny /etc/at/deny

cat << EOF > /etc/sysconfig/iptables
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [1059:101844]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp --icmp-type echo-request -j ACCEPT
-A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
-A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
-A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
COMMIT
EOF

enjoy,

kbp

oasys · 11-25-2009, 02:47 PM

athreyavc
Our company is going down the same path as you. Any chance that we can compare notes. One of the problems that I'm having is with Citrix understanding the many different usb drives that might be put in the host machine.

thanks