Disable Root Prompt in Bootloader
By default, anyone on Debian system can reboot the OS by simply pressing CTRL+ALT+DELETE (three fingers salute). This may or may not be a desirable feature. This section guides you on how to disable CTRL+ALT+DELETE reboot feature.
Identified Threats
These are the identified threats related to Debian Software.
(T-22) Anyone Can Reboot The System with CTRL+ALT+DELETE
By default, Debian set CTRL+ALT+DELETE to allow any users to reboot the operating system abruptly.
Actions Required
Here are the list if actions to counter the issues.
Track and Disable CTRL+ALT+DELETE Function
As of Debian Stretch, CTRL+ALT+DEL is configured using systemd. There are multiple-levels of systemd pointers. To start, it is here:
/lib/systemd/system/ctrl-alt-del.target -> /lib/systemd/system/reboot.targetBy tracking the reboot.target, you get something as such:
# SPDX-License-Identifier: LGPL-2.1+## This file is part of systemd.## systemd is free software; you can redistribute it and/or modify it# under the terms of the GNU Lesser General Public License as published by# the Free Software Foundation; either version 2.1 of the License, or# (at your option) any later version.[Unit]Description=RebootDocumentation=man:systemd.special(7)DefaultDependencies=noRequires=systemd-reboot.serviceAfter=systemd-reboot.serviceAllowIsolate=yesJobTimeoutSec=30minJobTimeoutAction=reboot-force[Install]Alias=ctrl-alt-del.targetHence, to be on the safe side, you can symlink the ctrl-alt-del.target to /dev/null instead:
$ rm /lib/systemd/system/ctrl-alt-del.target $ ln -s /dev/null /lib/systemd/system/ctrl-alt-del.target $ systemctl daemon-reloadThen execute the following:
$ systemctl disable ctrl-alt-del.targetThat's all for hardening Debian by disabling ctrl-alt-del reboot feature.