On the servers you REALLY care about you can  use luks and encrypted USB
keys that have to be in the system in order for it to decrypt the root
partition on boot. But most folks don't really need to go to that extreme.
Your best to decide how valuable the data you have actually is, and how
often you want to have to come into the office at 3am on a Saturday night
just to reboot something, much less wake the other guy up to open his safe
to get the key.  :)

2011/7/29 Dag Wieers <[log in to unmask]>

> On Fri, 29 Jul 2011, Marek Andreánsky wrote:
>
>  Why is securing /etc/inittab helping? I've read that by
>> adding init=/bin/bash to grub you can get into the machine and change the
>> shadow file anyway, which gives you root. I'd say that Red Hat presumes
>> that
>> the server is in a secure location and it is therefore highly improbable
>> that anyone could just simply sit down to it and reboot it without anyone
>> ever noticing.
>>
>
> Well, one of the additional security measures when securing a Linux system
> is adding a password to your BIOS and to your bootloader. So that changing
> the kernel commandline or booting another device by someone unauthorized is
> hard or impossible.
>
> You could consider someone having physical access to your system, to be
> able to walk away with the harddisk anyway (encrypted filesystem not taken
> into account), but at least that's not something you can do without being
> noticed.
>
> So making it harder at multiple levels is required, and not a 100%
> guarantee. Adding proper datacenter security, security cameras, visible
> badges, etc... All help adding to the total security of your system's data.
>
> --
> -- dag wieers, [log in to unmask], http://dag.wieers.com/
> -- dagit linux solutions, [log in to unmask], http://dagit.net/
>
> [Any errors in spelling, tact or fact are transmission errors]