BlueBuild and deploy your customized image to the devices
this post was submitted on 08 Apr 2024
169 points (95.7% liked)
Linux
47341 readers
1362 users here now
From Wikipedia, the free encyclopedia
Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).
Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.
Rules
- Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
- No misinformation
- No NSFW content
- No hate speech, bigotry, etc
Related Communities
Community icon by Alpár-Etele Méder, licensed under CC BY 3.0
founded 5 years ago
MODERATORS
I can highly recommend this. This is the modern way of creating corporate environments. It's very easy to create, update and maintain, switch, go back.
That's the neat part, you don't.
A lot of points you mention can be achieved with Univention (a debian based central management environment) and a few extra steps. Should be possible, imho.
Neat! I'll check it out.
FreeIPA?
Edit: You can use Fleet comander https://fedoramagazine.org/join-fedora-linux-enterprise-domain/
There are plenty of RMM tools/companies that support Linux platforms.
Name a few that run locally in a server and support domain services
Connect wise and ninjaone come to mind.
Free and open source? If it's enterprise pay for a suite.
Those are true RMMs though
Not to mention they are going to get compromised at some point
You can self host either platform so you have full control.
At that point anything you run is on you for security.
That list makes me wanna get a job on a small company of up to 10-20 people, where none of these things are usually needed...
I hear you. But if we want Linux to seriously become the next desktop OS, I think it's important to find something that gives large organisation some kind of way to manage their large IT inventory and users securely.
~~FreeIPA~~
Fleet comander seems to be great for this task. It runs FreeIPA among a few other things to allow for active directory like control.
https://fedoramagazine.org/join-fedora-linux-enterprise-domain/
I'd say most of those are needed; they're just not used.
All in all, i guess something like Fedora Silverblue (immutable) with some remote management software?
There is Zorin Grid (https://zorin.com/grid/) that I think is what you are looking for. It does not exist yet (and it has that notify button for a long long time, but there can still be hope it is not dead and it will come out one day.)
If you want to control users, don't give them admin privileges.
Most of things you enumerated solve windows specific problems and therefore have no analogs in other OSes.
That's the thing. They need some admin access. Especially if they're working in IT and need to do certain tasks that require that privilege.
The simplest solution is to set up the sudoers file to allow only specific commands your users need. I assume you need more than that, but what kinds of use cases does that solution fail to handle?
Well for example, I work as a DevOps specialist. I need to install certain tools on my system like Docker, kubernetes, virtual machines, etc. Those kinds of tools often require admin privileges to use in development. I may need to modify some files related to those tools in /etc but I shouldn't have access to all files. For example I would want to prevent users from modifying apt or yum repo sources.
I'm not a supporter of the approach of blocking sudo access from capable people (non tech yes), because they can still download and execute binaries as their user. Or go to rescue mode to make modifications. I had to do that myself because of a micro managing IT team. Allowed? No. Allows me to focus on my work and let me be efficient? Yes. Usually this approach also requires a backdoor tool on your device that they install, which is just ridiculous.
Just communicate setup requirements (drive encryption, firewall, AV,...) And have some tool to check the security requirements and rating and this way you can apply proper security policies in the company and respect the user's privacy
Allow only those tasks in policykit, make a link with pkexec <tool>?
Takes a bit more than that to really lock down a Linux install. At the very least you'd have to also limit their ability to mount extra storage, mount their /home with noexec, and centrally manage their browser.
view more: next ›