securing RHEL 5.x in a university lab setting

[Tim Mooney]

All-

We've been running a lab of Linux workstations for our students for
several years, and in the past I've felt pretty confident that we had
the systems well-secured.  I think it was easier in the past, though,
because the systems weren't quite so "user friendly".

I'm planning on kickstarting the lab with RHEL 5.2 in the next few weeks.
With RHEL 5.x and the GNOME/KDE environment that comes with it and some
of the newer components (e.g. HAL), I'm concerned that there may be new
things that I need to do to prevent the lab users from being able to
compromise the security of the systems.  Having physical access to the
systems always makes security more tricky...

We're still doing all the basics (BIOS & grub passwords to control what
can be booted, etc.).  My primary new concern is with making sure that
students can bring in media (USB sticks, CDs, etc.) and get it mounted
without also being able to make use of setuid binaries they may have
placed on the media they bring in.

With that in mind, anyone have any good pointers for securing the
graphical desktops and HAL against possible attackers with physical
access?  More generally, anyone know of a good guide or checklist
for securing RHEL 5.x in a university lab?

Thanks,

Tim
-- 
Tim Mooney                                             Tim.Mooney at ndsu.edu
Enterprise Computing & Infrastructure                  701-231-1076 (Voice)
Room 242-J6, IACC Building                             701-231-8541 (Fax)
North Dakota State University, Fargo, ND 58105-5164