[Cialug] Secure Linux System

Mike mike at linuxlychallenged.org
Wed Sep 12 07:47:02 CDT 2012


In a virtualized environment:
VMware ESX/i, Workstation
KVM

You can build a system and then modify the disk to be Independent / 
Non-Persistent.
Each time you shutdown the changes made since the boot are reverted to 
the disk state at the time you set it to be non-persistent.

For physical systems (and virtual) you can use Clonezilla (like Ghost) 
which can clone and distribute machine images. Given the speed you could 
distribute a secure clean image to the physical or virtual box at the 
beginning of every day.

(from the about page at clonezilla.org)

---Clonezilla SE was used to clone 41 computers simultaneously. It took 
only about 10 minutes to clone a 5.6 GBytes system image to all 41 
computers via multicasting!



On 9/11/2012 9:58 PM, Josh More wrote:
> Ken beat me to it.
>
> I've built read-only Linux-based kiosk machines twice.  After both
> experiences, I decided that that was the wrong solution to the
> problem.  I hope I don't have to learn it again.  ;)
>
> The fundamental problem is that while user-tampering is an annoyance
> that read-only is well-designed to solved, web-based systems face far
> more serious threats that read-only systems prevent you from solving.
> To fight against malicious sites, for example, modern browsers store
> local blacklist files that they download before launch. Usually they
> just download deltas, so it's not a huge delay.  On a read-only
> system, they have to download the delta from gold, which could grow
> very large very quickly.
>
> In many cases, it makes more sense to have a read-write system that
> reloads profiles at boot, so system updates can still be applied.  For
> browser-only systems, you could do a bit of fstab and firefox profile
> scripting to get the best of both worlds.  (Probably possible in
> Chrome too, but their update cycle is a bit weirder.)
>
> For the true tinkerers, you could always boot into Xen, run a minimal
> X in Xen (a general no no, but that can be worked around) that
> auto-launches a VNC session into one of the Xen VMs that resets from
> gold at boot and mounts as read-only + ram disk each time.  Not a good
> design in most cases, but I can think of some situations where it
> beats all others.
>
> -Josh More
>
>
>
> On Tue, Sep 11, 2012 at 9:28 PM, kristau <kristau at gmail.com> wrote:
>> On Tue, Sep 11, 2012 at 8:50 PM, L. V. Lammert <lvl at omnitec.net> wrote:
>>> Just need a browser, basically. Not sure how LTS would apply? Knoppix
>>> would be pretty much overkill.
>>>
>>> Thinking of something like PuppyLinux, .. but the main problem is how to
>>> add things like printer drivers.
>>>
>>>          Lee
>> Well, you don't *just* need a browser. It sounds like you need
>> printing too? If you just needed a browser, any live bootable distro
>> would work just fine.
>>
>> Why do you need to print (do you really need dead tree versions)? How
>> often would you need to reset the system? How many printers? What
>> brands/models?
>>
>> Ubuntu Live might work if you don't mind re-configuring CUPS each time
>> you reset. If the printers don't change much, you could probably
>> script the commands to add them, too. That would save time after a
>> reset.
>>
>> Taking a big step back, what is your use case and requirements? You
>> started by presenting us with a solution (build a read only linux).
>> Instead, give us your problem/situation and we may come up with
>> alternative solutions.
>>
>> --
>> Tired programmer
>> Coding late into the night
>> The core dump follows
>> _______________________________________________
>> Cialug mailing list
>> Cialug at cialug.org
>> http://cialug.org/mailman/listinfo/cialug
> _______________________________________________
> Cialug mailing list
> Cialug at cialug.org
> http://cialug.org/mailman/listinfo/cialug
>
>



More information about the Cialug mailing list