From Fedora Project Wiki

Line 86: Line 86:


How it works:
How it works:
Imagine a machine sitting at a library with no operating system on it except a liveDVD. The livedvd has a disabled root account, and the only user account is xguest. The xguest account can only talk to web ports; when you logout all files and processes get destroyed so there is nothing left in the user account for the next user to search for. Since all processes are destroyed on logout, you can be assured no one left a process to watch your keystrokes. If the machine gets hosed up for any reason, the library can just reboot the machine and have a clean system.


The Fedora Kiosk Spin relies on SELinux (Security-Enhanced Linux) for its combination of functionality and security. It features the xguest package, which creates a user of type xguest_t, a special user type designed specifically with kiosk usage in mind.
The Fedora Kiosk Spin relies on SELinux (Security-Enhanced Linux) for its combination of functionality and security. It features the xguest package, which creates a user of type xguest_t, a special user type designed specifically with kiosk usage in mind.
Line 93: Line 91:
Also created for the Fedora Kiosk Spin is a PAM (Pluggable Authentication Module) called pam_sepermit which allows certain users (xguest) to login without a password if SELinux is on in enforcing mode. The spin uses pam_namespace to setup temporary home and /tmp directories.
Also created for the Fedora Kiosk Spin is a PAM (Pluggable Authentication Module) called pam_sepermit which allows certain users (xguest) to login without a password if SELinux is on in enforcing mode. The spin uses pam_namespace to setup temporary home and /tmp directories.


The system is easily enhanceable by building a liveimage where iptables force all network traffic to go to a singe host or network so that you can lock down your kiosk to only work on said network.  
The system is easily extended by building a liveimage where iptables force all network traffic to go to a singe host or network so that you can lock down your kiosk to only work on said network.


=== Screenshot ===
=== Screenshot ===

Revision as of 04:31, 5 May 2010

Fedora Kiosk

Summary

The Fedora Kiosk spin, is a secure kiosk live operating system, that will allow users to login to a system and access the internet in a secure manner.

Owner(s)

  • Name: Daniel Walsh <dwalsh>
  • email: dwalsh@redhat.com

Detailed Description

The Fedora Kiosk is a Fedora based live operating system that takes advantage of SELinux and namespacing to setup a secure kiosk environment.

When you use a kiosk system you need to worry about the person that used the kiosk before you and after you. The person who used it before you could have left a process running on the system that can watch your keystrokes. The person who uses the kiosk after you can search through your home directory for data stored by firefox, including history, potentially credit card data, vpn access codes, etc.

The Fedora kiosk uses the xguest package which sets up a limited priviledged SELinux xguest user. This user is allowed to login to the box without a password iff SELinux is enabeled and enforcing, and there are no processes running with the same UID. The user account is locked down so it can not execute any setuid/setgid applications. The only network ports it can connect to are web ports. It can not execute any content in its home directory. The home directory/tmp directory is created when the user logs in and destroyed when the user logs out. If the account attempts to leave a process around after logout the system will attempt to kill the process and no other kiosk users will be allowed to login until the processes with this uid, are killed.

Root account is disabled.

It is also a live operating system so, rebooting the kiosk, will reset it to a known good state.

Benefit to Fedora

Fedora and its adoption of SELinux makes it an ideal platform for building a kiosk. Since Fedora support for pam_namespace, SELinux and xguest make it ideally suited for this type of environment.

Kickstart File

http://people.fedoraproject.org/~dwalsh/SELinux/kiosk/kiosk.ks

ISO Name / FS Label

Fedora-13-x86_64-kiosk

http://people.fedoraproject.org/~dwalsh/SELinux/kiosk/kiosk.iso

Dependencies

Scope / Testing

Additional security checks and usability testing needs to be done. As people come up with ideas of how they can break the security model of the kiosk, we need to react.

Also need to make sure there is enough functionality to use the kiosk in say a library setting. Closed source applications might be needed like flashplugin.

Spins Page

Slogan

Secure kiosks: no longer an oxymoron.

Spin description

The goal of the Fedora Kiosk Spin is to create an operating system that can only be used as a kiosk. It is intended for use in public locations such as libraries, schools, and event venues.

Imagine a machine sitting at a library (for example) running a liveDVD a single guest user account - root (administrative) account has been disabled. This kiosk can only talk to web ports, and when you log out all files and processes get destroyed so there is nothing left in the user account for the next user to search for. Since all processes are destroyed on logout, you can rest assured no one left a process to watch your keystrokes. Starting from scratch with a clean system is as easy as a reboot.

With the Fedora Kiosk Spin, your terminal can be as secure as you want it to be. Learn more.

About

How it works:

The Fedora Kiosk Spin relies on SELinux (Security-Enhanced Linux) for its combination of functionality and security. It features the xguest package, which creates a user of type xguest_t, a special user type designed specifically with kiosk usage in mind.

Also created for the Fedora Kiosk Spin is a PAM (Pluggable Authentication Module) called pam_sepermit which allows certain users (xguest) to login without a password if SELinux is on in enforcing mode. The spin uses pam_namespace to setup temporary home and /tmp directories.

The system is easily extended by building a liveimage where iptables force all network traffic to go to a singe host or network so that you can lock down your kiosk to only work on said network.

Screenshot

Download tab

Support tab

Custom branding

Comments and Discussion