Jim Douglas wrote:

I plan on allowing a user to remotely login to my linux box with a GUI.

How can I best lockdown the system so the can't do any damage?

(I know there's a lot to do, links would be appreciated.)

Please define "so they can't do any damage". One possibility is to make them run with a restricted shell. Another is to provide your own shell. Another might be to make them run in a chroot environment. What are you trying to protect against? Until you answer that question, you cannot take steps to prevent "damage". So, define "damage", and then you can take steps. Also, ask yourself "How much effort and money am I willing to spend?"

Mike

I plan on allowing a user to remotely login to my linux box with a GUI.

How can I best lockdown the system so the can't do any damage?

(I know there's a lot to do, links would be appreciated.)

A good start would be to:

Mount /tmp /var and /usr/local as noexec and nosuid.

Tune selinux or go through the pain of installing something easier to understand like RSBAC (http://www.rsbac.org/).

If the machine is not a mail server, be sure that Sendmail/Postfix is configured to only send mail to/from the localhost. This greatly depends on what other users will be using this machine of course.

Lock down your outgoing ports as well as the incoming on your firewall (hopefully not the same machine).

Disable the FTP server or better yet, remove the package altogether.

That's all I can think of at the moment. A better understanding of what the user will be expected to do would make it much easier.