Re: Prevent Linux root password change

Tomislav wrote:
My question is: is there any known method to prevent this on Linux or
any kind of Unix system ?

Physical security:

Servers:
Lock servers up securely and keep track of all copies of the keys. Don't
use those biometric fingerprint door locks. While they're cool, they're
useless. Especially the affordable ones can be tricked with a xerox copy
of your fingerprint. While armed guards might be a bit over the top,
it's usually good to have people working near your server room (like
yourself). People plus locks combined are great deterrents.

Workstations:
Metal cases around the CPU unit with padlocks

Software security:

Make the shadow immutable with chattr +i. While using chattr -i as root
will remove this protection, it breaks a lot of rootkits among other things.

Use BIOS to disable booting from CD and set a BIOS password. The metal
case with padlock or locked server room will prevent unauthorized BIOS
purging by removing the CMOS battery.

Cryptography:

If physical security of the servers is insufficient, you could use an
encrypted root filesystem. If you set it up correctly and you have a
remote serial console to make it practical, this will make it extremely
hard for anyone without the private key and/or passphrase to write/read
any data from the disk once the machine has been down. Downside is that
you'll need a password to boot the machine, it's tricky to set up, and
not something you can do in a few minutes to an existing server.
.

Relevant Pages

  • Re: Prevent Linux root password change
    ... Lock servers up securely and keep track of all copies of the keys. ... People plus locks combined are great deterrents. ... case with padlock or locked server room will prevent unauthorized BIOS ... If physical security of the servers is insufficient, ...
    (alt.linux)
  • Re: Locks, Scope & Performance
    ... A query that brings the server to its knees is often a sign ... Would the process you are suggesting look like a proc that calls a sub> proc ... > and creates w/recompile an inner sProc? ... >> page locks or no locks instead. ...
    (microsoft.public.sqlserver.programming)
  • Re: In-memory caches and app server load-balancing
    ... The locks are in-memory locks on each application server. ... the cache synchronisation should not bring down the performance. ... When a client needs to lock ...
    (comp.os.linux.development.apps)
  • Re: In-memory caches and app server load-balancing
    ... The locks are in-memory locks on each application server. ... the cache synchronisation should not bring down the performance. ... When a client needs to lock ...
    (comp.os.linux.development.apps)
  • Re: In-memory caches and app server load-balancing
    ... The locks are in-memory locks on each application server. ... the cache synchronisation should not bring down the performance. ... When a client needs to lock ...
    (comp.os.linux.development.system)