Installing PGP Whole Disk Encryption on Linux Workstations

Note: This installation was tested on Ubuntu 10.04 64bit with PGP WDE Version, 10.2.0 Build 2233.

Installation

1. Open the terminal and issue the following command:

                - "chmod +x pgp_desktop_10.2.0.2233_linux_ub10.04_x86_64.bsx"

2. Open the terminal and issue the following command:

                - "sudo ./ pgp_desktop_10.2.0.2233_linux_ub10.04_x86_64.bsx "

3. Press enter to read the license

4. Type "y" to agree to the terms of the license.

5. Reboot the workstation

Configuring Whole Disk Encryption

1. Make sure the username of the logged in linux user is the exact same as the domain username.

2. Open a terminal
3  Issue the following command to configure PGP to point to your PGP Universal Server

            - sudo pgpconfigure "ovid=&mail=*&admin=1"

4. Reboot the workstation

5. Login as the user that needs to enroll and issue the following command.
           - pgpenroll --enroll (Note: Do not use sudo)

6. When prompted for a username type you Domain credentials

7. And you should see output similar to the screen below.

8. Now reboot the workstation and you should be presented with the grey bootguard.
9. Type your password and hit enter.

10. Once you load the desktop open the terminal
11. To verify whole disk encryption is enabled run the following commands.

                "pgpwde --status"

12. The output should confirm that the disk is either encrypted or in process of encrypting.

Modifying Login Screen Options on Ubuntu 12

Below are tips to modifying the login screen on ubuntu

Tip 1: Enable the "other" user option on login screen
1. Open /etc/lightdm/lightdm.conf
2. Add the following line to the file
     "greeter-show-manual-login=true"
3. Restart the lightdm service or reboot the machine
     "sudo service lightdm restart"

Tip 2: Hide all user accounts on login screen
1. Open /etc/lightdm/lightdm.conf
2. Add the following line to the file
     greeter-hide-users=true
3. Restart the lightdm service or reboot the machine
     "sudo service lightdm restart"

Tip 3: Disable Guest login
1. Open /etc/lightdm/lightdm.conf
2. Add the following line to the file
     allow-guest=false
3. Restart the lightdm service or reboot the machine
     "sudo service lightdm restart"

Tip 4: You can script changes to this config file by using the following command
     /usr/lib/lightdm/lidghtdm-set-defaults

Securing Linux Workstations from Data Leakage

If you have linux workstations in your corporate environment you should be addressing the issues regarding data leakage. Below are the steps i have taken to block writing to usb storage devices.


Disabling USB storage devices

Linux uses a module called "usb_storage" to mount external usb storage devices. If you are interested in stopping a user from mounting external usb storage follow the steps below.

1. Create a file called "usb_storage.conf" in the /etc/modprobe.d/ directory.
2. Open the file and enter "blacklist usb_storage.conf" in the file and then close and save the file.
3. Reboot the workstation
4. Plug in a USB storage device and you should see that the device does not get auto mounted

Additional Tips

lsmod - shows what modules are currently loaded

modinfo - shows information about module

modprobe -r usb_storage - Can be used to unload the usb_storage module

PGP WDE Bootguard Password not synchronized with Active Directory Account

PGP Whole Disk Encryption does not support single sign-on functionality on Linux  and Mac OS X workstations. What this means for the user is that when you enroll in PGP the first time it will sync with your current password.  However whenever you change your Active Directory password your PGP bootguard password will not automatically be refreshed. To refresh the boot guard password follow the steps below.



1. Open the terminal
2. Run the following command.

pgpwde --change-passphrase --disk 0 --user username --domain 'domainname' --passphrase 'yourpassphrase' --new-passphrase 'yournewpassphrase' 

Reference:
http://www.symantec.com/business/support/index?page=content&id=TECH194688

Altiris NS Client on Ubuntu

Altiris Notification Server is a product that allows organizations to manage IT assets. An agent is installed on the device that allows an administrator to run reports and push software to assets. Officially Altiris NS does not support Ubuntu workstations. Altiris seems to prefer the rpm based Linux variants instead of the .deb platform. However for the Altiris agent we can force and install and make it work with a little magic.

I tried these steps with Ubuntu 11.10 & 11.04 32 Bit editions. Currently Altiris NS only supports 32 Bit versions of Linux.

Procedure:

1. First go to your Altiris NS server and browse to the c:\program files\Altiris\Notification Server\nscap\bin\UNIX\Agent\Linux\x86\ folder. 
2. Copy the altiris ns client to your linux desktop (aex-nsclt.rpm) 
3. On the Ubuntu client open a terminal 
4. Enable the root account by typing "sudo passwd root" and set a password 
5. Type su - 
6. Now install a few prerequisite apps 
7. Type "apt-get install rpm2cpio" 
8. Type "apt-get install alien -y" 
9. copy the Altiris Client to the /root/nsclient/ directory 
10. Type "cd /root/nsclient/" 
11. Type the following command "rpm2cpio aex-nsclt.rpm | cpio -vid" to extract the files to that folder. 
12. Move /root/nsclient/opt/Altiris/ to /opt/Altiris/ 
13. Type "alien -i aex-nsclt.rpm --scripts" to perform the install 
14. cd /opt/altiris/notification/nsagent/bin/ 
15. Type "./aex-configure -iconfigure" to configure the Altiris NS Client 
16. When it ask you for the server name enter the URL. "http://servername/" 
17. Complete the rest of the questions based on the settings in your environment. 
18. Type mkdir /etc/rc.d 
19. Type mkdir /etc/rc.d/init.d 
20. Type ln -s /lib/lsb/init-functions /etc/rc.d/init.d/functions 
21. Type ln –s /etc/init.d/altiris /etc/rc2.d/S99altiris 
22. Type ln –s /etc/init.d/altiris /etc/rc3.d/S99altiris 
23. Type ln –s /etc/init.d/altiris /etc/rc5.d/S99altiris 
24. Type "/etc/init.d/altiris start" to start the agent 
25. Type "ps -ef | grep aex" to verify the agent is in the list of running processes 
26. Type "./aex-sendbasicinv" to send an inventory report to the NS server 
27. Login to the NS Server and verify that the workstation is showing up correctly.

Because the Altiris NS Client is not made for Ubuntu there may be some features that are not available, but basic inventory functionality should be available.