Physical Security Vulnerabilities and Linux Systems
Some Linux vulnerabilities involve the bad guy (malicious user) actually being at the system console — something that’s entirely possible given the insider threats that every organization faces.
Physical security hacks
If an attacker is at the system console, anything goes, including rebooting the system (even if no one is logged in) by pressing Ctrl+Alt+Delete. After the system is rebooted, the attacker can start it in single-user mode, which allows the hacker to zero out the root password or possibly even read the entire shadow password file.
Countermeasures against physical security attacks
Edit your /etc/inittab file and comment out (place a # sign in front of) the line that reads ca::ctrlaltdel:/sbin/shutdown -t3 -r now, shown in the last line of the figure. These changes will prevent someone from rebooting the system by pressing Ctrl+Alt+Delete. Be forewarned that this will also prevent you from legitimately using Ctrl+Alt+Delete.
For Linux-based laptops, use disk encryption software, such as WinMagic and Symantec. If you don’t, when a laptop is lost or stolen, you could very well have a data breach on your hands and all the state, federal, compliance, and disclosure law requirements that go along with it. Not good!
If you believe that someone has recently gained access to your system, either physically or by exploiting a vulnerability, such as a weak password or buffer overflow, you can use last, the program, to view the last few logins into the system to check for strange login IDs or login times. This program peruses the /var/log/wtmp file and displays the users who logged in last. You can enter last | head to view the first part of the file (the first ten lines) if you want to see the most recent logins.