Securing laptops for employees
I have a situation that I would think many sys admins have encountered before and so I seek the expertise of you, the kali community, and any suggestions you may have.
I have laptops that my employees will be issued in order to do their jobs. Kali was the obvious choice because of its security and that it is Debian (one of, if not THE most documented OS's on earth). I have been using Kali for YEARS since the backtrack days, but never had the issue I do now of having to restrict the OS (because i was the only guy using it).
I need the following things:
Users cannot change wallpaper
Users dont get sudo (obvious)
Users cannot change or create the config of certain things (like the window manager) but still need to write to the config directory (for like firefox and various other programs)
Whole disk encryption is not going to be implemented (all users having the same password to each laptop defeats the point) but the home directories of each user must be encrypted (like ubuntu)
Users cannot change the window manager or customize the system (make it look pretty) in any way.
Users cannot suspend or hibernate the system, its either on or off
What i've thought of so far:
Use openbox as wm and set feh in the autostart script of the openbox config that is NOT in the home directory (/etc/something)
Remove all other window managers besides openbox
Problem I have is:
how do I get openbox to ignore a user config if they make one.
how to lock down the config of certain programs but not others
how to implement ubuntu's transparent home directory encryption without the user having to do anything but login
remove the ability to suspend and hibernate
Thank you for your time
For me, it really depends on what the employees will be doing. Based on your requirements, I'd say Kali would not be the best choice. Rather something like Ubuntu, or Mint.
As grid say, if the user didn't do pentest(then they will need more right that what you're talking about) you shouldn't install kali since it isn't a day to day os. If you want pure debian, go with debian, or for more user friendly go with ubuntu(or any other flavor). Then you could request help about the feature you want to got in the correct distro support forum.
Originally Posted by grid