Disable Root Prompt in Bootloader
By default, anyone on Debian system can reboot the OS by simply pressing CTRL+ALT+DELETE (three fingers salute). This may or may not be a desirable feature. This section guides you on how to disable CTRL+ALT+DELETE reboot feature.
Identified Threats
These are the identified threats related to Debian Software.
(T-22) Anyone Can Reboot The System with CTRL+ALT+DELETE
By default, Debian set CTRL+ALT+DELETE to allow any users to reboot the operating system abruptly.
Actions Required
Here are the list if actions to counter the issues.
Track and Disable CTRL+ALT+DELETE Function
As of Debian Stretch, CTRL+ALT+DEL is configured using systemd
. There are multiple-levels of systemd pointers. To start, it is here:
/lib/systemd/system/ctrl-alt-del.target -> /lib/systemd/system/reboot.target
By tracking the reboot.target
, you get something as such:
# SPDX-License-Identifier: LGPL-2.1+
#
# This file is part of systemd.
#
# systemd is free software; you can redistribute it and/or modify it
# under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation; either version 2.1 of the License, or
# (at your option) any later version.
[Unit]
Description=Reboot
Documentation=man:systemd.special(7)
DefaultDependencies=no
Requires=systemd-reboot.service
After=systemd-reboot.service
AllowIsolate=yes
JobTimeoutSec=30min
JobTimeoutAction=reboot-force
[Install]
Alias=ctrl-alt-del.target
Hence, to be on the safe side, you can symlink the ctrl-alt-del.target
to /dev/null
instead:
$ rm /lib/systemd/system/ctrl-alt-del.target
$ ln -s /dev/null /lib/systemd/system/ctrl-alt-del.target
$ systemctl daemon-reload
Then execute the following:
$ systemctl disable ctrl-alt-del.target
That's all for hardening Debian by disabling ctrl-alt-del reboot feature.