Physical Security

  • Ensure that single user mode is either disabled or password protected. Single user mode can be accessed by restarting the system, and provides root access to the system.
  • Require a boot menu password. Without a boot menu password, attacks can force the bootloader to boot a root shell instead of another aprt of the operating system, providing them with root access. To do so, follow these steps:
  1. Open a terminal.
  2. Run the command grub-mkpasswd-pbkdf2 . You'll be asked to enter the password and then to confirm it. This will create an encrypted password for the bootloader.
  3. The command will output a hashed version of the provided password. Copy this.
  4. Open the GRUB configuration file with root permissions using a text editor. For example, if you're using vim, you would enter: sudo vim /etc/default/grub
  5. Find the line that starts with GRUB_PASSWORD . If it doesn't exist, you'll need to add it. You can edit the file by entering insert mode in vim simply by inputting i . To exit vim without making changes, hit escape, then enter :q! and press enter. Set GRUB_PASSWORD to the hashed password you copied. It should look like this: GRUB_PASSWORD=grub.pbkdf2.sha512. 10000.long_string_of_characters
  6. Save the file and exit the text editor. If you're using vim, you can do this by pressing escape , then entering :wq to confirm that you want to save the changes, and then Enter to confirm the file name.
  7. Update GRUB with the new configuration by running: sudo update-grub

  • Ensure device encryption is enabled. Requiring a boot password can be circumvented by an attack installing their own boot media and mounting the system. LUKS is a common encryption tool.

  • For example, if you are hosting a web server in a cloud instance, ensure the cloud instance is encrypted. additionally, you can run the server in a VM, and make sure the virtual drive for the VM is encrypted.

  • LUKS is a common encryption tool. It can be used to encrypt any block device.

  • Disable CTRL+ALT+DEL. CTRL+ALT+DEL initiates a system reboot. if an attacker is able to gain access to the system they may use the restart to gain access to the bootloader.

  • CTRL+ALT+DEL can be disabled by running sudo systemctl mask ctrl-alt-del.target sudo systemctl stop ctrl-alt-del.target