09-07-2014
Many thanks for your answer, unSpawn, I really appreciate your time and interest.
TPM could be a great solution, but it means adding more hardware since it's not included on motherboard, so it's discard (I need a method that doesn't require special hardware)
The user must be able to use the computer, add new drives or even format hard drive using a tool in a usb drive if he needs. It's even desirable (althought not 100% needed) that user can make a backup of the system disk via cloning, and restoring it when needed. BUT I don't want the user to clone disk and use the operative system and all configurations and programs in a different machine, since it's intended to be used only on this computer (I hope that my explanation is ok, hehe)
I know that there is no infallible method for this, but I'm also sure there is some way. It's better having a security method that can be skipped to have no security method at all. If I add some kind of protection, at least the user will have to make some research.
I've been reading something about hostid, and if I can tie the operative system to something depending on hardware, it is an important "first step" (but you say it's easy to break)
Full disk encryption seems the best way, but, how can I do it?
Must be kept in mind that I can't make a complete reinstall of the system to do it. I mean... I have now my "master" cloning image that y deploy on all the machines, so I need someway to prevent to clone again the install once deployed on every target machine. It's no problem if I have to use some time on everyone of those target machines, but installing operative system and configuring and installing everything in everyone of them is not an option.
Many thanks again, I hope someone can lend me a hand.
Regards
9 More Discussions You Might Find Interesting
1. UNIX for Dummies Questions & Answers
we have an hp-ux and a user requested me if i can password protect the dtterm. i know that this is possible but can you give me some hints in making this happen?
thanks :cool: (2 Replies)
Discussion started by: inquirer
2 Replies
2. UNIX for Dummies Questions & Answers
I have created a PHP page that I use to clean files on my machine. I would like to leave the file there but I want to password protect it so that I am the only one that can run it from the shell. Does anyone know how to do this? Thanks.
-Cam (2 Replies)
Discussion started by: perryl7
2 Replies
3. UNIX for Advanced & Expert Users
We recently had an accidental delete from /. I hold the root password but others are allowed to sudo over to root to perform admin tasks. The only way I want to permit deletion from / is by physically being root (su -).
I'd like to add a line to the sudoers file which would permit all commands... (1 Reply)
Discussion started by: scottsl
1 Replies
4. AIX
Hi everyone,
I want to clone a AIX 5.2 system from a machine to another one.
So i modified bosinst.data and image.data files (according to future platform) before making mksysb on old platform.
After booting on CD and restoring system using mksysb tape, the installation is launched but ever... (2 Replies)
Discussion started by: fgaulois
2 Replies
5. UNIX for Dummies Questions & Answers
I am new to UNIX and need help in cloning a HPUX 10.2 Ace 5, can anybody please guide me in making a full system backup.
Real Chess (0 Replies)
Discussion started by: real-chess
0 Replies
6. UNIX for Advanced & Expert Users
I have several Solaris 8,9 and 10 servers.
I need to refresh them and avoid doing any OS upgrades. I may have to apply patches when I am done due to the new hardware.
My current servers have internal disk and my new target servers (same processor types) will have only SAN storage. Once the... (0 Replies)
Discussion started by: zzqv9p
0 Replies
7. UNIX for Advanced & Expert Users
how to protect my process from others to kill??
Double post, continued here, thread closed (0 Replies)
Discussion started by: samrintu
0 Replies
8. AIX
Hello All,
I am trying to clone an entire AIX virtual machine to a new virtual machine including all partitions and OS.Can anyone help me on the procedure to follow? I am not really sure on how it can be done.Thanks in advance.
Please use CODE tags for sample input, sample output, and for code... (4 Replies)
Discussion started by: gull05
4 Replies
9. Solaris
Hi all,
I am trying to use archiveadm to backup/clone an existing Solaris11.4 system.
However, i failed at media creation with the error -> "Media can only be created from archives containing root-only data"
root@xxx:/mnt/opt/software# zpool list
NAME SIZE ALLOC FREE CAP DEDUP ... (6 Replies)
Discussion started by: javanoob
6 Replies
LEARN ABOUT DEBIAN
opieaccess
OPIEACCESS(5) File Formats Manual OPIEACCESS(5)
NAME
[/etc/]opieaccess - OPIE database of trusted networks
DESCRIPTION
The opieaccess file contains a list of networks that are considered trusted by the system as far as security against passive attacks is
concerned. Users from networks so trusted will be able to log in using OPIE responses, but not be required to do so, while users from net-
works that are not trusted will always be required to use OPIE responses (the default behavior). This trust allows a site to have a more
gentle migration to OPIE by allowing it to be non-mandatory for "inside" networks while allowing users to choose whether they with to use
OPIE to protect their passwords or not.
The entire notion of trust implemented in the opieaccess file is a major security hole because it opens your system back up to the same
passive attacks that the OPIE system is designed to protect you against. The opieaccess support in this version of OPIE exists solely
because we believe that it is better to have it so that users who don't want their accounts broken into can use OPIE than to have them pre-
vented from doing so by users who don't want to use OPIE. In any environment, it should be considered a transition tool and not a permanent
fixture. When it is not being used as a transition tool, a version of OPIE that has been built without support for the opieaccess file
should be built to prevent the possibility of an attacker using this file as a means to circumvent the OPIE software.
The opieaccess file consists of lines containing three fields separated by spaces (tabs are properly interpreted, but spaces should be used
instead) as follows:
Field Description
action "permit" or "deny" non-OPIE logins
address Address of the network to match
mask Mask of the network to match
Subnets can be controlled by using the appropriate address and mask. Individual hosts can be controlled by using the appropriate address
and a mask of 255.255.255.255. If no rules are matched, the default is to deny non-OPIE logins.
SEE ALSO
opie(4), opiekeys(5), opiepasswd(1), opieinfo(1), opiesu(1), opielogin(1), opieftpd(8)
AUTHOR
Bellcore's S/Key was written by Phil Karn, Neil M. Haller, and John S. Walden of Bellcore. OPIE was created at NRL by Randall Atkinson, Dan
McDonald, and Craig Metz.
S/Key is a trademark of Bell Communications Research (Bellcore).
CONTACT
OPIE is discussed on the Bellcore "S/Key Users" mailing list. To join, send an email request to:
skey-users-request@thumper.bellcore.com
7th Edition January 10, 1995 OPIEACCESS(5)