←back to thread

The state of Schleswig-Holstein is consistently relying on open source

(www.heise.de)
597 points doener | 1 comments | 07 Dec 25 13:21 UTC | HN request time: 0.001s | source
Show context
mapontosevenths ◴[07 Dec 25 14:24 UTC] No.46181864[source]
Its been a very long time since I was a Sysadmin, but I'm curious what managing a fleet of Linux desktops is like today? Has it vastly improved?

When I last tried in a small pilot program, it was incredibly primitive. Linux desktops were janky and manual compared to Active Directory and group policy, and an alternative to Intune/AAD didn't even seem to exist. Heck, even things like WSUS and WDS didnt seem to have an open version or only had versions that required expensive expert level SME'S to perform constant fiddling. Meanwhile the Windows tools could be managed by 20 year old admins with basic certitifcations.

Also, GRC and security seemed to be impossible back then. There was an utter lack of decent DLP tools, proper legal hold was difficult, EDR/AV solutions were primitive and the options were limited, etc.

Back then it was like nobody who had ever actually been a sysadmin had ever taken an honest crack at Linux and all the hype was coming from home users who had no idea what herding boxen was actually like.

replies(5): >>46181979 #>>46182272 #>>46182348 #>>46183765 #>>46186223 #
1718627440 ◴[07 Dec 25 15:24 UTC] No.46182348[source]
I think this comes primarily from trying to add a separate management tool on top, instead of leveraging the OS structure themself. There is a reason, why most directories are specified to be readonly. Also writable XOR persistent is mostly true. The only things required to be writable are /tmp, /var and /home. /tmp is wiped at least on every boot or is even just a ramdisk. /var can be cached or reset to the predefined settings on boot. /home needs to be managed, that is true. But you wouldn't want every users directory on every host anyway, instead you want to populate them on login. That is typically done by libpam.

/usr is expected to be shared among hosts, host-specific stuff goes into /usr/local for a reason, and as a sysadmin you can decide to simply not have host specific software.

EDR/AV is basically unnecessary, when you only mount things either writable or executable. And you don't want the users to start random software or mount random USB-sticks anyway.

> Back then it was like nobody who had ever actually been a sysadmin had ever taken an honest crack at Linux and all the hype was coming from home users who had no idea what herding boxen was actually like.

Unix has over 50 years of history of being primarily managed by sysadmins instead of home users. While Linux is not Unix, it has inherited a lot. The whole system is basically designed to run a bunch of admin configured software and is actually less suitable for home users. I would say the primary problem was accessing it with a Windows mindset.

replies(4): >>46182491 #>>46182560 #>>46184305 #>>46184825 #
1. msm_ ◴[07 Dec 25 20:26 UTC] No.46184825[source]
>EDR/AV is basically unnecessary, when you only mount things either writable or executable

Sounds good, except:

* scripting languages exist. The situation is even worse on Linux than on Windows (because of the sysadmin focus). You need at least /bin/sh installed and runnable on any POSIX system. In practice bash, python, perl and many more are also always available.

* exploits exist. Just opening a pdf file may execute arbitrary code on a machine. There is no way to avoid that by just configuring your system. And it will happen sooner or later, especially if nation states are involved.

The idea that your systems are somehow unhackable because you... mount everything W^X is... not based in reality. Of course it's a great idea, but in practice you need defense in depth, and you need to have a way to Detect and Respond to inevitable Endpoint breaches. I don't love EDR/AVs, but they mitigate real attacks happening in the real world.