If an attacker has physical access to this machine, and particularly to the keyboard, s/he could get super-user access through the Grand Unified Bootloader (GRUB) command line. We will look at other ways to prevent this later, but one easy way is to password-protect the GRUB prompt. If GRUB is password-protected, any user can reboot the machine normally, but only users with the password can pass arguments to the GRUB prompt.
Note that this option can interfere dual-booting with a second operating system, since dual booting often requires that type an O/S name to boot one of the two operating systems. If this machine sits in a general purpose lab and dual boots, you probably shouldn't choose this option.
Otherwise, this is strongly recommended for general use workstations and servers which are not locked away in their own room. |