I run a small business and would like to use Linux for its free naturet. Is there a way to lock down linux using software or a whole distro that would prevent people from doing pretty much anything other than opening a web browser similar to Windows or ChromeOS. I would use ChromeOS, had it not been made by Google as I am not super keen on using something made by big tech.

Edit: This would be for employees and is exclusively about endpoint security, mot enforcing staying on task.

  • nicman24@kbin.social
    link
    fedilink
    arrow-up
    2
    ·
    1 year ago

    You will need to configure secure boot with your own keys, efistub and create a user with no sudo.

    After that any selinux or apparmor distro will do.

    What you are concerned about here is physical security so you will need to lock the bios, cut off the CMOS reset pins and probably solder the 3.3 battery.

  • user_disagreement@kbin.social
    link
    fedilink
    arrow-up
    1
    ·
    1 year ago

    I think avoiding ChromeOS is wise, that just puts Google in charge of your IT systems and leave you at the mercy of their data harvesting abomination of Linux loaded with proprietary software.

  • blackstrat@lemmy.fwgx.uk
    link
    fedilink
    arrow-up
    1
    ·
    1 year ago

    I’ve found the gold standard to be the NCSC Guidelines. This covers everything around proper deployment of end user devices in an organization. https://www.ncsc.gov.uk/collection/device-security-guidance

    They have clamp down configurations for Windows and Ubuntu, plus others. This is the Ubuntu page, but there’ll be lots of cross over to other distros https://www.ncsc.gov.uk/collection/device-security-guidance/platform-guides/ubuntu-lts

    Their security configuration packs are hosted on GitHub so you can vet them first if you want https://github.com/ukncsc/Device-Security-Guidance-Configuration-Packs

  • l3mming@lemmy.fmhy.ml
    link
    fedilink
    arrow-up
    0
    ·
    edit-2
    1 year ago

    Would this locked-down distro be used by customers or by employees? If it is being used by employees, there is no faster way to be hated than putting unnecessary restrictions on their logins. You don’t want that kind of workplace.

    I simply do this:

    1. Make sure they don’t get sudo/root privileges.

    2. Remote mount their home directories (nfs).

    3. Don’t add any restrictions beyond that. It is a waste of time and money.

    4. Control the rest through company policy, usually clauses under the ‘Misuse of company network’ section.

    5. Who cares if employees are browsing tik-tok or whatever if they’ve done all their work? That’s a work-allocation issue. If they haven’t done all their work then that’s already a solved problem. Either motivate them or performance manage them slowly towards the door.

    6. Who cares if they want to install xyz software [in their home directory]? Chances are it’ll be a free boost for performance and/or morale.

    • dango@fedia.io
      link
      fedilink
      arrow-up
      1
      ·
      1 year ago

      Who cares if they want to install xyz software [in their home directory]? Chances are it’ll be a free boost for performance and/or morale.

      This /really/ depends on your threat model. “xyz software in their home directory” could easily be “exfil tool that uploads all data employee X has access too, disguised as a meme template generator”