> Hi Penguin gurus,
> During my job, I will be installing Linux on public nodes "kiosks". The
> thing is, those nodes will have wifi network access, and will *not* have
> physical security around them (read: no guards). The problem is: People
> might try to get the info stored on the disks, either through network
> access, physical access, or through stealing the disks
> Target: I want to make it as hard as possible for those people. I totally
> understand that without physical security, there's no way it can be really
> "secure". I just wanna make real difficult

Disable USB. That way, they cannot boot from disks they bring in. Also,
turn off booting from any device other than the one you use in the bios,
and then password protect bios.


>
> Protecting console:
> - I will turn off all login ttys and turn off X
> - Will password protect grub
>
> Protecting Wifi:
> - Will turn off ssh, and firewall all ports that are not providing end
> user
> services (I will mostly just leave apache open)
>
>
> Protecting stolen disks:
> Here comes the part where I have no clue! I don't really want this to be
> (steal disk, mount disk, copy data!!). I wanna make it difficult, but I
> have
> no idea how. Here are some ideas I'm toying with
> - Encrypt disks with some "auto-decrypting" scheme, so the machine can
> boot
> without entering a password?
> - Use some non standard filesystem ? (Dont like it, the system needs to be
> reliable)
> - Use some weird non standard partitioning tools ?(Also don't like it)
> - Use some non standard grub chain-loader that will decrypt Linux disks
> and
> boot them ?
>
> I'm a bit lost, did anyone face this dilemma before ? Any experiences to
> share ?
> Again, please don't tell me there's no way to get real security, if I
> don't
> have physical security. I totally understand this. I just don't wanna make
> this as easy as steal/mount!
>
> Best Regards
> _______________________________________________
> rhelv5-list mailing list
> rhelv5-list@(protected)
> https://www.redhat.com/mailman/listinfo/rhelv5-list
>


--

Bill Tangren
U.S. Naval Observatory

Auribus tenere lupum

_______________________________________________
rhelv5-list mailing list
rhelv5-list@(protected)
https://www.redhat.com/mailman/listinfo/rhelv5-list