Ahmed Kamal wrote:
> Hi Penguin gurus,
> During my job, I will be installing Linux on public nodes "kiosks". The
> thing is, those nodes will have wifi network access, and will *not* have
> physical security around them (read: no guards). The problem is: People
> might try to get the info stored on the disks, either through network
> access, physical access, or through stealing the disks
> Target: I want to make it as hard as possible for those people. I totally
> understand that without physical security, there's no way it can be really
> "secure". I just wanna make real difficult


Don't put anything secret on the disks. Better, don't put disk in the
computers.

you can network boot and mount everything via NFS.


>
> Protecting console:
> - I will turn off all login ttys and turn off X
> - Will password protect grub

No disk, no grub.

>
> Protecting Wifi:
> - Will turn off ssh, and firewall all ports that are not providing end user
> services (I will mostly just leave apache open)

ssh hasn't anything to do with wireless.
>
>
> Protecting stolen disks:
> Here comes the part where I have no clue! I don't really want this to be
> (steal disk, mount disk, copy data!!). I wanna make it difficult, but I have
> no idea how. Here are some ideas I'm toying with
> - Encrypt disks with some "auto-decrypting" scheme, so the machine can boot
> without entering a password?
> - Use some non standard filesystem ? (Dont like it, the system needs to be
> reliable)
> - Use some weird non standard partitioning tools ?(Also don't like it)
> - Use some non standard grub chain-loader that will decrypt Linux disks and
> boot them ?
>
> I'm a bit lost, did anyone face this dilemma before ? Any experiences to
> share ?
> Again, please don't tell me there's no way to get real security, if I don't
> have physical security. I totally understand this. I just don't wanna make
> this as easy as steal/mount!

I don't understand why you'd put anything confidential in a computer
intended for public access. Can you enlarge?

What's the public going to be doing with these systems?

--

Cheers
John

-- spambait
1aaaaaaa@(protected)
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375

You cannot reply off-list:-)

_______________________________________________
rhelv5-list mailing list
rhelv5-list@(protected)
https://www.redhat.com/mailman/listinfo/rhelv5-list