BOFH Hunter

3 quick steps for physical security

Everyone knows that you need to protect your exposed applications, but many shops seem to ignore the physical security component to their Information Assurance program. While the steps here don’t get you 100% physical security, they’ll very definitely protect you against the “Casual Compromise” of someone just walking by.

1. Inactivity Timeouts on shells
2. Disable Interactive Loading
3. Protect Single User Mode

Inactivity Timeouts

For GUI sessions you should set your screen saver properties to require a password after a period of time defined by your needs, but what about for servers which aren’t running X? For console sessions we implement an auto-timeout. To do this, create a file in /etc/profile.d called timeout.sh with the following lines:


TMOUT=600
readonly TMOUT
export TMOUT

This will cause the bash shell to time out after 10 minutes. If you want a longer or shorter window, adjust the TMOUT= value to the number of seconds appropriate.

Disable Interactive Loading

When you boot up a Centos, RHEL or fedora box, there is an option for interactive loading. This allows you to select or alter which services actually start. This is useful for troubleshooting, or if an application hangs up the system for some reason. But it can also allow a malicious user the opportunity to stop services protecting the system. In order to disable interactive loading of services you need to edit /etc/sysconfig/init

Open the file, and change the PROMPT line from yes to no.

Protect Single User Mode

A shell timeout helps, but what if the user reboots the system, and enters single user mode? By default, this grants anyone with physical proximity to the system root access. This can be quite unfortunate for a host of obvious reasons. In order to prevent this from happening, add the following line to /etc/inittab.

~~:S:wait:/sbin/sulogin

Note that if you lose your root password after making this change, you’re going to be very much in trouble without rescue media.