A server administrator has implemented several security measures on a new Linux server. A strong UEFI password is in place, and the boot order is locked to the internal drives only. Despite these precautions, the administrator is concerned that an attacker with physical console access could still interrupt the boot process to access a recovery shell and reset the root password. Which of the following security controls would specifically mitigate this risk?
Set up a host-based intrusion detection system (HIDS).
The correct answer is to configure a GRUB password. GRUB is the bootloader for most Linux distributions. Setting a GRUB password prevents unauthorized users from modifying boot parameters or accessing single-user/recovery modes, which could be used to gain root access.
Full disk encryption (FDE) is incorrect because, while it protects data at rest if the drive is stolen, it does not prevent an attacker with console access from interrupting the boot process and attempting to access the bootloader menu itself. The bootloader password protects access to these boot-time options.
A host-based intrusion detection system (HIDS) is incorrect as it operates within the loaded operating system to monitor for threats and is not active during the pre-boot or bootloader stages.
A chassis intrusion alert is a physical security measure that detects when the server case has been opened. It does not prevent an attacker who already has console access from interacting with the boot process.