[ale] Virtual machine questions for public use machines

Michael Trausch mike at trausch.us
Sun Jan 25 19:54:59 EST 2015 

Maybe this is too simple but why not just make a base image. HDDs run a stage two bootloader to rsync the system to pristine state, which it then boots. Happens every 24 hours or every 7 days or whatever. Not every reboot of course because then you have to worry about a necessary reboot taking a long time. 

Sent from my iPhone

> On Jan 24, 2015, at 6:09 PM, Alex Carver <agcarver+ale at acarver.net> wrote:
> 
> Thanks but that's going a bit far for surfing. ;)
> 
> These machines are in a cleanroom.  Lab users could bring their own
> laptops if they're willing to spend about half an hour physically
> scrubbing them to remove dirt and skin oils.  Most don't want to do that
> so that's why there are general purpose (already physically cleaned)
> machines inside.  This VM idea is just a way of keeping pristine machine
> software (the nightly dump and rinse) while having something behind them
> (the host OS/firewall plus an external firewall) keep everything under
> control.  The machines themselves are just repurposed cast-offs from
> other uses.  Plenty of functionality but they weren't needed for their
> original tasks any longer.
> 
> We did have one of them get hit with a virus recently due to a
> contaminated USB stick.  Anti-virus missed it at first but traffic
> monitors noticed it later.  Having the ability to just flush the VM and
> start over with a fresh copy would just make things easier.
> 
> There's no need for smart-card or other central login because none of
> these machines will be permitted to talk to any work host (they wouldn't
> be able to reach the login server ;) ).  External Internet destinations
> (e.g. Google) and that's it.
> 
>> On 2015-01-24 14:47, Justin W Elam wrote:
>> Yes this is possible.
>> 
>> I would advise to use a extender for the smartcard, monitor, sound, mouse
>> and keyboard so that the terminal CPUs can be put in a secure, locked and
>> CCTV monitored location. Some were able to integrate this into the monitor
>> case.
>> 
>> Sun used to have the Sun Ray system which was a possible solution but
>> Oracle's price is now too high in my opinion.
>> 
>> Have each terminal CPU be encrypted.
>> 
>> Manage security via smart card or federated SSO LDAP username and password,
>> one signon to logon to terminal, domain, and network servers.
>> 
>> Script terminal to access a new VM session for each logon and at 0600 local
>> Reboot the terminal.
>> 
>> Then save the logins for user public123
>> 
>> Configure VM only for OpenOffice and browser.
>> 
>> Another option is to use a custom live disc that is placed in the terminal
>> CPU and configure network or bios to reboot at 0600
>> 
>> Another option is to place a switch at the terminal to reboot the machine,
>> or allow cmd CTRL-ALT-DELETE to reboot terminal. And place sign stating
>> before use reboot machine.
>> 
>> The disc I have used is called
>> LPS-Public-Deluxe.
>> 
>> http://spi.dod.mil/lipose.htm
>> 
>> http://www.wpafb.af.mil/news/story.asp?id=123189629
>> 
>> Every so often the SPI office releases an upgrade that must be downloaded
>> to a CDROM if you would like updates.
>> 
>> Hope this helps your use case.
>> 
>> Your mileage may vary.
>> 
>> Good luck in your mission.
>> 
>> Warm regards,
>> 
>> --
>> -------------------------------------
>> Justin W Elam
>> E-mail :> justin.w.elam at gmail.com
>> ###
>> 
>> 
>> 
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://mail.ale.org/mailman/listinfo/ale
>> See JOBS, ANNOUNCE and SCHOOLS lists at
>> http://mail.ale.org/mailman/listinfo
> 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo

More information about the Ale mailing list