Quote:
Originally Posted by jschiwal
Not allowing any local tty logins may not be a good goal. What are you going to do if the NIC device goes out? Or if you lock yourself out accidentally from remote logins.
|
Yea, especially considering anyone with local access *will* root it in a few minutes with a boot cd if they have half a clue and that's what they want to do. Disabling CD in bios and putting a bios password on won't help either. You can simply reset the bios with a jumper. Physical access is > all software security measures. Not allowing local logins won't matter at that point. With a boot cd you don't need to log in.
A good lock on a sturdy rack cabinet is a much better (and secure) physical security solution. Think Medeco grade 1 for ultimate physical security, at least until people figure out how to bump key that one too.
If they have to hack through a bunch of hardened wire to get to the box, they'll find an easier target.
Is this at work? Suggest that the best physical security measure is good physical security, then demonstrate how easy it is to get around a local tty lockout with a boot cd. The setup disk for the distro you are using probably has a rescue mode that can be used for this demonstration.
On red hat it's:
linux rescue
at the boot prompt before setup.
#chroot /mnt/sysimage
Edit the files you need to, change root password, reboot.
Of course a sawzall will cut through most stuff like butter, but those are pretty loud and will usually attract attention
Not good for someone trying to maintain a low profile and get into a box unnoticed.
-Viz