Tuesday, July 12, 2011

Simple Changes To Secure an Ubuntu Deskop

When you talk about desktop security there's a lot that can be discussed: user permissions, firewalls, etc. Here's a little step that gets overlooked quite a bit, but can go a long way to preventing a direct attack against your destkops.

In Ubuntu Desktop, you can deploy custom Gnome settings that override the defaults by dropping an XML file at:
/etc/gconf/gconf.xml.mandatory/%gconf-tree.xml

I use Puppet to deploy these settings to all of my Linux desktops. If you're from the Windows world, this is like using group policy, but with much more granular control.

Here's a sample of a few things you should change:

  • Disable autorun - yes, there ARE nasty things you can do to Linux with an autorun USB stick, despite the Linux Fanboi's who may say otherwise. I've seen it.

  • Disable the User List at Logon - You should already know who you are before you go to log in

  • Enforce a screensaver lock - Make the desktops automatically lock to screensaver when left alone



  1. <?xml version="1.0"?>

  2. <gconf>

  3. <dir name="apps">

  4. <dir name="nautilus">

  5. <dir name="preferences">

  6. <entry name="media_automount_open" mtime="1287339134" type="bool" value="false"/>

  7. <entry name="media_autorun_never" mtime="1287339134" type="bool" value="true"/>

  8. </dir>

  9. </dir>

  10. <dir name="gdm">

  11. <dir name="simple-greeter">

  12. <entry name="disable_user_list" mtime="1287339134" type="bool" value="true"/>

  13. </dir>

  14. </dir>

  15. <dir name="gnome-screensaver">

  16. <entry name="idle_delay" mtime="1253741251" type="int" value="5"/>

  17. <entry name="idle_activation_enabled" mtime="1253741234" type="bool" value="true"/>

  18. <entry name="lock_enabled" mtime="1253741201" type="bool" value="true"/>

  19. </dir>

  20. </dir>

  21. </gconf>


Because these settings are "Mandatory" the user can't override them with one exception - the user will still be able to change the screensaver timeout. This appears to be a bug in Gnome or Gnome Screensaver. They can't disable the lock, but they can push it to as far out as two hours.

Other changes might include:

  • disabling USB storage devices entirely

  • installing an iptables based default firewall

  • requiring SSH encryption keys when logging in remotely instead of passwords

  • Encrypting home directories


... and a lot more. I think network admins typically think of the big things and miss little things like forcing the screensaver to lock when left alone.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)