Infrastructure level alternatives for Ubuntu Machines

Hello ITsFC!

As a part of Infrastructure up-gradation at my work place, I’ve received a list of issues from IT Infra Manager with Ubuntu OS. For same, I’m calling out for S.O.OS signal out here, since the decision is going on side of “Rule out all Ubuntu Machines (and go for Windows!)”

List of Issues:

Domain – In order to enable Ubuntu OS Machines to be part of our domain, We are spending enough on “Centrify Solution” , that solution works fine however not all group policies are being pushed through AD (Active Directory).

Anti-Virus : Currently we have however it is not that effective and we face challenges while establishing the connection between Antivirus server and Ubuntu OS Endpoints.

Endpoint DLP: We have to implement DLP Solution on each endpoints and we have not find any solution which is effective and works for all 3 OS ( Windows, Mac and Ubuntu)… Most of the Service provider are only offering solution for Windows and Mac.

Endpoint encryption: We have to Implement Endpoint encryption ( Bios + Hard drive) and again we cannot find any effective solution which covers all 3 OS ( Windows, Mac and Ubuntu). Most of the solution providers are limited to IOS and Windows.

Patching : We are currently using WSUS for windows Patching and Centrify for IOS however we don’t have any solution for Ubuntu patching. It’s a manual effort and to cover 50 + endpoints & manually is impossible for us.

======== A Call for help ==========
I’ve been looking for all possible Alternatives, but I’m still on losing side of the conversation since I’m still missing out on above points.

Alternative for Endpoint DLP: Endpoint Protector link

Alt. for Endpoint encryption link

Please provide alternatives for the rest of the points.

That is one of your primary issues, right there. There is no real use case where you need all 3 OSs at the same time. Especially server-side you definitely do not need Windows and you basically never need MacOS in an enterprise environment, ever, because you can do everything + more with Windows and especially Linux. Except your company is actually a band and your members love Garage Band or Reason.

Your second issue is that you are under-estimating your side of the matter.

You are not. From what I read here, the side you are opposed to has little to no knowledge about server infrastructure within enterprise-like domains. I think it seems to you like you are losing, because the majority of people in your work place is not that knowledgable, to say it very very mildly. If you are discussing an important issue, don’t be so humble. If you know what you say is definitely damn right, then say so. Do not think you are losing or have worse points because you are obviously in the minority.

Make sure you tell them that they are having senseless demands and that they should re-think their demands and strategy overall, as it just makes little sense to downgrade the entire infrastructure to Windoze, just because they think they need to use all big OSes at once. As already mentioned, nobody needs MacOS in an enterprise environment. You have to explain to them that they think more ideologically than logically and that it only makes sense to think reasonable, instead of trying to shoehorn something into the system that is neither necessary nor fitting.

If they are concerned about security, they should love to use Linux, only. If you use best practices, and secure-by-default Linux services, you do not need to use explicit Anti-Virus software. Best practice is the best anti-virus defending mechanism there is, anyway.
To ensure security you need to:

• use Linux only
• use up to date secure-by-default software i.e. SSH, SFTP, etc.
• school users of your infrastructure how to behave correctly
• KISS
• (optional, depending on the type of your enterprise) use GPG
• (if you are paranoid) use ClamAV or an alternative

If you follow at least these couple bullet points, your enterprise will be more secure than 80% of already existing enterprises out there. You don’t even want to know what they call “security” if they know this word, at all.

You might want to elaborate on that.

And it will stay like that if everyone just gives up to Windoze and supports the wrong direction.

Unfortunately, I don’t remember the names, but I assure you after a quick search you will find tons and tons of software with patching management capabilities on enterprise level.

Firstly welcome to our friendly community.
Take time to read what @Akito has written and I am sure that others will add things as well, as unlike some other communities I have found the spread of knowledge greater here.

There’s a bunch of solutions for config management (including patching) for Ubuntu environments - there’s Canonical’s own MaAS or whatever it’s called - you can also answer yes to the question to allow automatic updates during the install (hmm - I install more UIbuntu server than desktop - server install asks if you want to enable automatic updates - does desktop?)…

And there’s things like Puppet, or Ansible (or even Salt or Chef).

But these three are pretty complex products and require a signifcant investment in time and learing. I know Puppet reasonably well, but a bit rusty on it - haven’t used it for a couple of years… I guess I probably should given I’ve got about 8 or more *NIX machines in my home environment…

I installed Puppet Enterprise from scratch in a mostly Oracle Linux environment 6 years ago, pretty much to manage a server fleet (physical and virtual) and server “SOE” - about 100 or so Linux servers … was just about to hybridize that Puppet Enterprise into the cloud (AWS) when I got retrenched…

Totally! that is what I have been observing all along. Since, this issue has grown, I now officially have a Linux User Group in my company. One of the Member posted below links to the points:

• Domain
  Ubuntu Server documentation | Ubuntu

• Anti-Virus
  malware - Do I need to have antivirus software installed? - Ask Ubuntu

• Patching
  https:// help. ubuntu .com/ community/DirectControl (Sorry! new users can’t post greater than 2 links)

and the most powerful thing about this is, these all links are from Ubuntu Documentation! Bam!
Combined with the Answers here and the Documentation links we have, I think we have a solid case.

Now I know, that these will not be accepted (by Infra Managing Team) the way they are given. We (LUG at company) have planned Rebellion activities in coming days viz.

• Performance comparison on same spec machines with Wind…whatever vs. Linux based OS on prem. and post those videos on our Intranet.
• Demo Remote updating / patching using simple bash scripts (as they need it)
• Then give them these links and insights from community

I’m going to violate this, but I do need to extend my gratitude to the Community here and on my premises. Let’s win this war.