To secure your machine from unwanted root access we can disable the discovery root terminal in Grub2 by uncommenting the following line in /etc/default/grub:
GRUB_DISABLE_RECOVERY="true"
Note: To avoid security issues by editing GRUB2 entries while booting we may also want to restrict access to Grub boot menu by setting GRUB_HIDDEN_TIMEOUT=0 and enabling the OS_PROBER to prevent calling scripts in /etc/grub.d.
To take effect we also want to run the following command:
sudo update-grub
This will not prevent booting into a root environment with a live CD.
Therefore we also need to disable CD-ROM, Network or USB booting features in BIOS. To prevent BIOS changes we also need a password for BIOS access, and a hardware lock for your case to prevent resetting BIOS on your motherboard.
In addition your harddisk may have to be encrypted in case your hardware gets stolen.
Warning: By securing your system in this way you may completely lock yourself out of your computer. Be careful what you do and proceed only if you know exactly what you do. Keep your passwords in a safe place.
NOT RECOMMENDED But if you really want to, use sudo vipw and sudo vipw -s to rename “root” in the /etc/passwd and /etc/shadow files respectively. That’s all there is to it; to the kernel, root is any user with UID 0 (at least that’s my novice understanding). Notice that if you do this, sudo -i no longer works, but sudo -u xyz -i does, and still drops you into a root prompt.
Securing console access
Physically lock the PC case so it can’t be opened.
Prevent the computer from booting other devices.
In the BIOS, edit the boot sequence so that it will only boot the hard drive (and not from CD, USB device, etc.). Then set a BIOS password to prevent someone from editing the boot sequence.
Disable the recovery mode option in Grub.
Edit the file /etc/default/grub. Uncomment the line:
#GRUB_DISABLE_LINUX_RECOVERY="true"
Add a Grub superuser. This has the side-effect of preventing unauthenticated Grub users from editing boot lines (like adding the single parameter to boot into single-user mode and get root).
First, hash the password you want to use for the Grub superuser account:
grub-mkpasswd-pbkdf2
Then add the superuser to the Grub config by appending the following lines to /etc/grub.d/00_header (yes, include the cat and EOF lines):
Finally, run the following to have the Grub configuration changes take effect:
sudo update-grub2
What this does (assuming we have truly secured the BIOS and Grub) is reduce the attack surface to the physical security of the PC (i.e. break the case lock) and the security of Ubuntu when it’s online. The goal is to make it so someone can’t walk up to the PC, reboot it, go into single-user mode, give themselves root access, and then walk away — all in under a minute. Even if you are running full-disk encryption (yet still booting the kernel + initrd off of the PC hard drive), all these steps can still be a good idea, since it is trivial to perform the same attack in order to add a keylogger to the initrd that will sniff the encryption passphrase.
To secure your machine from unwanted root access we can disable the discovery root terminal in Grub2 by uncommenting the following line in
/etc/default/grub:Note: To avoid security issues by editing GRUB2 entries while booting we may also want to restrict access to Grub boot menu by setting
GRUB_HIDDEN_TIMEOUT=0and enabling theOS_PROBERto prevent calling scripts in/etc/grub.d.To take effect we also want to run the following command:
This will not prevent booting into a root environment with a live CD.
Therefore we also need to disable CD-ROM, Network or USB booting features in BIOS. To prevent BIOS changes we also need a password for BIOS access, and a hardware lock for your case to prevent resetting BIOS on your motherboard.
In addition your harddisk may have to be encrypted in case your hardware gets stolen.
Don't think the name of
rootcan be changed.In
/etc/default/grub, uncomment (remove the '#' symbol) the following line:...then run
sudo update-grub.Renaming the root account
NOT RECOMMENDED But if you really want to, use
sudo vipwandsudo vipw -sto rename “root” in the/etc/passwdand/etc/shadowfiles respectively. That’s all there is to it; to the kernel,rootis any user with UID 0 (at least that’s my novice understanding). Notice that if you do this,sudo -ino longer works, butsudo -u xyz -idoes, and still drops you into a root prompt.Securing console access
Physically lock the PC case so it can’t be opened.
Prevent the computer from booting other devices.
In the BIOS, edit the boot sequence so that it will only boot the hard drive (and not from CD, USB device, etc.). Then set a BIOS password to prevent someone from editing the boot sequence.
Disable the recovery mode option in Grub.
Edit the file
/etc/default/grub. Uncomment the line:Add a Grub superuser. This has the side-effect of preventing unauthenticated Grub users from editing boot lines (like adding the
singleparameter to boot into single-user mode and get root).First, hash the password you want to use for the Grub superuser account:
Then add the superuser to the Grub config by appending the following lines to
/etc/grub.d/00_header(yes, include thecatandEOFlines):(Example taken from http://www.g0hl1n.net/node/16.)
Finally, run the following to have the Grub configuration changes take effect:
What this does (assuming we have truly secured the BIOS and Grub) is reduce the attack surface to the physical security of the PC (i.e. break the case lock) and the security of Ubuntu when it’s online. The goal is to make it so someone can’t walk up to the PC, reboot it, go into single-user mode, give themselves root access, and then walk away — all in under a minute. Even if you are running full-disk encryption (yet still booting the kernel + initrd off of the PC hard drive), all these steps can still be a good idea, since it is trivial to perform the same attack in order to add a keylogger to the initrd that will sniff the encryption passphrase.
Changing the root username is NOT recommended - you are likely to break your install messing around as root.
For a definition of root and it's privileges see this article - and the reasons for not changing it are on this Ubuntu Forums Thread.