Re: Securing Linux based public access terminals

[Jay Fougere <fougerej () ientry com>]

"Correction on this:  alt-f1 with kde and gnome both do not call a 
virtual console. "

You are absolutely correct -- that is the default behavior of X. My bad, 
must not have had enough caffeine that day =)

Jay Fougere

Jim McCullough wrote:

> Correction on this:  alt-f1 with kde and gnome both do not call a 
> virtual console.  control+alt-f1 will call a virtual console.   X 
> currently is mapped by default with Debian, Fedora, and RH that I know 
> of to follow this behavior.   Other tweaks can include SecurityPolicy 
> for X, and using SE-Linux policies to further lockdown the system(s).
>
> Regards,
> Jim McCullough
>
>
> Brett Anderson wrote:
>
> > True, xdm(or similar) should handle the logins so you can not do the
> > alt-f1, ctrl-z deal. Also, I mentioned disabling text logins via
> > /etc/inittab, so that you can not hit alt-f1, login, and use the shell.
> >
> > On Mon, 2004-07-19 at 10:02, Jay Fougere wrote:
> >  
> >
> > > You will also have to disable some keystrokes such as the alt-f1 
> > > alt-f2 (to access shells) otherwise all someone would have to do 
> > > would be to alt-f1 (switch to the terminal X is running in) and 
> > > ctrl-z (to suspend the active X session) and run commands as the 
> > > logged in user. If that user is chrooted in an environment with only 
> > > X and a browser that may not be a concern. I simply mention this 
> > > because many don't know about the ctrl-z to suspend the X session 
> > > (and that will circumvent any "lock the desktop" functions you may 
> > > be using)
> > >
> > > Brett Anderson wrote:
> > >
> > >   
> > >
> > > > You can achieve this using the ratpoison window manager
> > > > (http://ratpoison.sourceforge.net) and having your application start
> > > > when X does. ratpoison runs apps full screen with no window 
> > > > decorations.
> > > > You can easily modify the source to not allow the key combination that
> > > > allows users to spawn new programs.
> > > >
> > > > Then setup iptables rules to only allow the users access to the 
> > > > gateway
> > > > or web proxy.
> > > >
> > > > You may also want to lock down the virtual terminals by removing the
> > > > getty lines from /etc/inittab to prevent text logins.
> > > >
> > > > If you choose to use RedHat 9 you can get security updates via apt-get
> > > > or yum through the Fedora Legacy Project 
> > > > (http://www.fedoralegacy.org).
> > > >
> > > > Hope this helps.
> > > >
> > > > Brett
> > > >
> > > > On Thu, 2004-07-15 at 07:48, Andrew Shore wrote:
> > > >
> > > >
> > > >     
> > > >
> > > > > Hi
> > > > > I have a project where I need to give access to the internet to 
> > > > > groups
> > > > > of users who do not work for the company running the workstations.
> > > > > Hence, the company do not want the users to access any other part 
> > > > > of the
> > > > > network. For reasons too complicated to go into here I can't hive 
> > > > > this
> > > > > portion of the network off onto a DMZ or even a secure vlan.
> > > > >
> > > > > What I would like to is run a Linux workstation (RedHat probably 9 
> > > > > even
> > > > > though it's out of support) but when the user logs into the windows
> > > > > session all they get is the browser. No menus no right click on 
> > > > > the desk
> > > > > top just a basic single application "dumb terminal". I've seen 
> > > > > this done
> > > > > before but it was too well secured for me to see how it was done! 
> > > > > Also
> > > > > I'd like to the workstation to log straight in as a local user 
> > > > > with out
> > > > > user intervention.
> > > > >
> > > > > Any ideas how I can achieve this or perhaps secure it in another 
> > > > > way, I
> > > > > remember with windows 3.x you could change the windows manager 
> > > > > settings
> > > > > in win.ini and it did exactly what I want. I just really don't 
> > > > > want to
> > > > > use Windows 3.1 ;)
> > > > >
> > > > > TIA
> > > > >
> > > > > Andy
> > > > >
> > > > >
> > > > > --------------------------------------------------------------------------- 
> > > > >
> > > > > Ethical Hacking at the InfoSec Institute. Mention this ad and get 
> > > > > $545 off any course! All of our class sizes are guaranteed to be 
> > > > > 10 students or less to facilitate one-on-one interaction with one 
> > > > > of our expert instructors. Attend a course taught by an expert 
> > > > > instructor with years of in-the-field pen testing experience in 
> > > > > our state of the art hacking lab. Master the skills of an Ethical 
> > > > > Hacker to better assess the security of your organization. Visit 
> > > > > us at: 
> > > > > http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> > > > > ---------------------------------------------------------------------------- 
> > > > >
> > > > >
> > > > >
> > > > >  
> > > > >       
> > > >
> > > > --------------------------------------------------------------------------- 
> > > >
> > > > Ethical Hacking at the InfoSec Institute. Mention this ad and get 
> > > > $545 off any course! All of our class sizes are guaranteed to be 10 
> > > > students or less to facilitate one-on-one interaction with one of 
> > > > our expert instructors. Attend a course taught by an expert 
> > > > instructor with years of in-the-field pen testing experience in our 
> > > > state of the art hacking lab. Master the skills of an Ethical 
> > > > Hacker to better assess the security of your organization. Visit us 
> > > > at: 
> > > > http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> > > > ---------------------------------------------------------------------------- 
> > > >
> > > >
> > > >
> > > >
> > > >     
> > >
> > > --------------------------------------------------------------------------- 
> > >
> > > Ethical Hacking at the InfoSec Institute. Mention this ad and get 
> > > $545 off any course! All of our class sizes are guaranteed to be 10 
> > > students or less to facilitate one-on-one interaction with one of 
> > > our expert instructors. Attend a course taught by an expert 
> > > instructor with years of in-the-field pen testing experience in our 
> > > state of the art hacking lab. Master the skills of an Ethical Hacker 
> > > to better assess the security of your organization. Visit us at: 
> > > http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> > > ---------------------------------------------------------------------------- 
> > >
> > >
> > >   
> >
> >
> >
> > --------------------------------------------------------------------------- 
> >
> > Ethical Hacking at the InfoSec Institute. Mention this ad and get 
> > $545 off any course! All of our class sizes are guaranteed to be 10 
> > students or less to facilitate one-on-one interaction with one of our 
> > expert instructors. Attend a course taught by an expert instructor 
> > with years of in-the-field pen testing experience in our state of the 
> > art hacking lab. Master the skills of an Ethical Hacker to better 
> > assess the security of your organization. Visit us at: 
> > http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> > ---------------------------------------------------------------------------- 
> >
> >
> >
> >  

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------