How to harden a ubuntu desktop?
We are planning to install 80 ubuntu desktops in a college. The management told us to harden the ubuntu desktop as much as possible, like the user should not able to customize system settings for example changing wallpapers, themes etc etc..Could you all pls share your points in hardening a ubuntu system? So that it will be helpful for me to build a good desktop system. Thanks in advance
Tasks to be done:
- Restrict users changing wallpapers & themes
- Restrict users adding / deleting system panels.
- Restrict users installing / deleting packages.
- Disable USB storage devices.
- Displaying IP address of the system in the background of system wallpaper in bold in right bottom.
Solution 1:
Some general points:
-
Gnome3 (Ubuntu 11.10 and later - Unity is based on Gnome) uses dconf to store its settings. See the "Lockdown" section in the dconf System Administrator Guide for how to lock settings so that the users can't change them.
Use dconf-editor (package
dconf-tools
) to see what options are there. -
For Gnome2 (up to Ubuntu 11.04) there's the Desktop Administrators' Guide to GNOME Lockdown and Preconfiguration.
In Gnome3 most of the configuration option described there aren't used any more, but as some programs (like Compiz) still use Gnome2's GConf the "Enabling Lockdown" section may still be relevant.
Use gconf-editor to see what options are stored in GConf.
Have a look at PolicyKit and AppArmor for some more general way of to to grant and revoke privileges to/from users and programs
To disable USB storage devices blacklisting the usb_storage
kernel module should do the trick, see the modprobe.conf manpage for how to do that.