Re: security scenario

["Chris Berry" <compjma () hotmail com>]

> From: "theog" <theog () theog org>
> I agree , in my opinion , if someone got to the machine's keyboard ,
> be it phisically or via a remote console device , he can do virtually
> anything, in fact, the simplest thing to do (if I wanted to change the
> root for a machine I dont have the password for) is to boot with a
> linux cd , mount the root partition , then do chroot , and passwd ,
> so ..... no point is having a grub password for the machine if you
> have users you dont trust , with access to that machine console.

Physical access will yield root access given time, knowledge, and tools.  
That said, I still disagree, security is not one thing, it is a compilation 
of little things that add up.  No one is hack proof, but by adding layer 
after layer of complications for the attacker, you make yourself an 
uninviting target, and become hack resistant.  You have to draw the line 
somewhere or your administrative burden will grow greater than you can 
handle, but I believe that a grub password (or requiring root password for 
single user mode) would be a good idea as it's easy to setup and maintain, 
but makes things a little more difficult for the attacker (not to mention 
curious employees messing with things they shouldn't be).  I also think bios 
passwords are a good idea, sure any monkey who can open the case can pop the 
battery and reset it, but that's one more step they have to do, and around 
most workplaces you'll get quite a bit of unwanted attention if you start 
taking your computer apart and you don't work in IT.  On top of this, 
removing the CD-ROM drive and Floppy drive from any workstation that doesn't 
require it, is a good idea as it slows them down even further, and requires 
more knowledge, and some parts to bypass.  With these three things in place 
they'll need a screwdriver, a linux cd, a cd-rom drive, enough knowledge to 
open the case install the cd-rom, set the jumpers on cd-rom and IDE, reset 
the cmos, then boot up and use their linux cd to bypass your grub password.  
Can it be done sure, is it hard, not really for a trained person, I could 
probably do it in under 20 minutes, but how many people have that level of 
training, and can get unobserved access to the machine for that long?  
Personally I feel that would stop anything but a determined and 
knowledgeable attacker who has time and physical access.  If you have good 
physical security (locks, alarms etc.) that makes it even harder.  If 
someome is determined enough to get through all that there isn't any way 
you're going to stop him anyways, but I consider that a much lower order of 
probability than the kind of people who could get in without having those 
three precautions.

Chris Berry
compjma () hotmail com
Systems Administrator
JM Associates

"For Sys Admins paranoia isn't a mental health problem, its a marketable job 
skill."

_________________________________________________________________
STOP MORE SPAM with the new MSN 8 and get 2 months FREE*  
http://join.msn.com/?page=features/junkmail