Interestingly a few days after asking similar questions over post Hackathon dinner slashdot posts an article regarding this.
http://linux.slashdot.org/article.pl?sid=09/03/09/236230 First (relevant) post ... answers with puppet another with cfengine and bcfg2 which are answers to central management. Another interesting post "Don't give them root and they can't install software. Make sure the home directories an(d) /tmp is moutes (mounts) -noexec and there is NO WAY that they can run programs which aren't already installed. Now they can have free run of the system and can't do anything harmful. Still not satisfied? Remove all executables that they shouldn't run, or make them a-rx g-rx, and don't have users in the group able to run them." Although not mentioned I am guessing putting a BIOS password, removing boot from floppy, cdrom, and usb, and locking the chassis should take care of most physical access issues if network boots are not an option. Should /mnt also be set to noexec nowrite so users cannot create new mounts and bring a portable terminal or does this create more problems than it fixes? Any insight would be appreciated. -- Matthias A. Johnson matthias.a.johnson aut gmail dot com _______________________________________________ Mid-Hudson Valley Linux Users Group http://mhvlug.org http://mhvlug.org/cgi-bin/mailman/listinfo/mhvlug Upcoming Meetings (6pm - 8pm) MHVLS Auditorium Mar 7 - Web Hack-a-thon - SUNY Newpaltz Apr 1 - EC2 and Cloud Computer May 6 - TBD
