- OK. I agree, but personally hate RHEL.
- Yes.
- Suppose so.
- Brightness and sound controls too?..
- Yep, meant that.
- I thought of something like company-issued laptops, which might be good to have functional without Internet connectivity sometimes, if it’s remote work.
- Dependent on the role some users might need to regularly install software you haven’t thought about.
- Yes.
- Well, disagree about SecureBoot, there’s nothing secure about MS signing your binaries. It’s just proof they are signed by MS. Setting TPM under Linux is, eh, something I’ve never done.
Comment on What the Linux desktop really needs to challenge Windows
enumerator4829@sh.itjust.works 1 day agoI’ve managed Linux desktop fleets in enterprise-like environments. I’ll modify your list a bit:
- Use Rocky or RHEL (because the commercial software you want to use only has support for RHEL and/or Ubuntu)
- disallow root completely without exception
- do additional hardening
- don’t allow sudo for fucking anything
- run centrally controlled configuration management (most likely Puppet)
- Ironically - disallow any use of Flatpak, Snap and AppImage. They don’t play that well with Kerberized NFS-mounted home directories, which you absofuckinglutely will be required to use. (Might have improved since I tried last time, but probably not. Kerberos and network mounted directories,home or otherwise, are usually a hard requirement.)
- Install and manage all software via configuration management (again, somewhat ironically, this works very well with RPMs and DEBs, but not with Flatpak/Snap/Appimage). Update religiously, but controlled (i.e. Snap is out).
- A full reprovision of everything fairly regularly.
- You most likely want TPM-based unlocking of your LUKS encrypted drives, with SecureBoot turned on. This is very fun to get working properly in a Linux environment, but super simple to do on Windows.
And as you have guessed, on Windows this requires a bit of point and click in SCCM to do decently.
On Linux, you’ll wanna start by getting a few really good sysadmins to write a bunch of Puppet for a year or so.
(If we include remote desktop capabilities in the discussion, I’ll do my yearly Wayland-rant.)
vacuumflower@lemmy.sdf.org 1 day ago
enumerator4829@sh.itjust.works 1 day ago
You need to have secure boot in order to have the disk decrypt without user input, otherwise the chain is untrusted. You can (and probably should) load your own keys into the firmware and sign everything yourself. MS has nothing to do with it, except that BitLocker is much better than anything any Linux distro has to offer today.
You need to have the disk decrypt without user input, and you can’t have the secret with the user. (As the user is untrusted - could be someone stealing the laptop.) The normal Linux user mantra of ”I own the machine” does not apply here. In this threat model, the corporation owns the machine, and in particular any information on it.
As for sudo, this is why we have polkit. (Yes, technically root, but you get my point)
And as for number 7 - this is why most Windows fleets use ”Software Center” or similar. No reason you can’t do the same on Linux, just that no one has done it yet. (I mean, you can, with pull requests into a puppet repo, but that’s not very user friendly)
Hate RHEL all you want, but first take a look at what distros have any kind of commercial support at all from software vendors. This is the complete list: RHEL, sometimes Rocky, sometimes Ubuntu. Go ask your vendor about Fedora Silverblue and see what happens. The primary reason to run Linux like this is usually to use a specific (and probably very expensive) software that works best on Linux, so distro choice is usually very limited to what that software vendor supports. (And when they say Linux, they are really saying ”the oldest still supported RHEL.)
Basically, corporate requirements go completely against the requirements of enthusiasts and power users. You don’t need Secure Boot to protect your machine from thieves, but a corporation needs Secure Boot to protect the machine from you.
vacuumflower@lemmy.sdf.org 1 day ago
MS has nothing to do with it, except that BitLocker is much better than anything any Linux distro has to offer today.
It’s a piece of software with closed source code. I am aware that people can hide (and have done so many times) a backdoor or a mistake in source code so that it’ll be harder to find than many problems in binaries without source provided.
Still harder to audit.
You need to have the disk decrypt without user input, and you can’t have the secret with the user. (As the user is untrusted - could be someone stealing the laptop.) The normal Linux user mantra of ”I own the machine” does not apply here. In this threat model, the corporation owns the machine, and in particular any information on it.
Smart cards?
Hate RHEL all you want, but first take a look at what distros have any kind of commercial support at all from software vendors. This is the complete list: RHEL, sometimes Rocky, sometimes Ubuntu.
I know.
Basically, corporate requirements go completely against the requirements of enthusiasts and power users. You don’t need Secure Boot to protect your machine from thieves, but a corporation needs Secure Boot to protect the machine from you.
Sigh. Okay.
enumerator4829@sh.itjust.works 1 day ago
Look, I’m not saying BitLocker isn’t flawed. I’n m saying the alternatives on Linux are shit. All the primitives are there, and you can do it on Linux, with lots of work, testing and QC of all software updates on all your hardware (or else you’ll do manual entry of disaster recovery keys for the next decade). But on Windows it’s a checkbox to encrypt the entire fleet, along with management of recovery keys.
Also, on audits: for people doing checkbox security (i.e. most regulated industries), this is very easy to audit. You just smack in ”Bitlocker” and you are done. For some, the threat isn’t really information loss, it’s loss of compliance (and therefore revenue). Stupid, but here we are. If you mean actual security, then you are probably correct.
A smart cart only authenticates and identifies the user - it can’t do attestation of the boot chain. If we use a smart card for disk encryption, a malicious or compromised user can just pop out the SSD, mount and decrypt (using the smart card) on a separate machine and extract/modify data without a trace. If you use SB, the TPM and disk encryption as intended, you can trust both the user (via smart card) and the machine (probably via a Kerberos machine key). Basically, this method prevents the user from accessing or modifying data on their own machine.
Again, on Windows this is basic shit any Windows sysadmin can roll out easily following a youtube tutorial or something. Providing those same security controls on Linux will yield a world of pain.
We really need to make this easy on Linux. systemd-boot and UKIs are trying, but are not even close to enough.
WhyJiffie@sh.itjust.works 1 day ago
Well, disagree about SecureBoot, there’s nothing secure about MS signing your binaries. It’s just proof they are signed by MS. Setting TPM under Linux is, eh, something I’ve never done.
that’s the difficult part of SecureBoot: you need to set up MOK and somehow sign the bootloader, kernel, modules with it.
but against small scale intrusions even the MS signed things could work
VirtuePacket@lemmy.zip 1 day ago
The other thing you’ll need is for compliance and risk management frameworks (e.g. CMMC, ISO27001, CIS, etc.) to fully embrace Linux controls and environments. As of right now, it’s a patchwork full of holes and if you need to demonstrate compliance, it’s likely to be a lot more challenging running Linux workstations.