There should be a mode where , no matter how you boot, you need a password (whether user or root) before the machine lets you do anything. ( config change, hardware install whatever. )
Why? Its in a restricted zone bolted in to a rack and all it does is control a bunch of RS232 ports.
You fail to see the bigger picture.
This machine now no longer sits in a restricted zone , it's on dave's bench , and whatever twiddledum that released it from the government failed to sanitize it properly !
2 minutes work and there is a new root password ...
Here is personal experience : early 2000's some guys used a truck to ram the wall and window of a room adjacent to our computer room, they used a crowbar and/or pneumatic jack to force to the door to the computer room and ran off with two very expensive Sun servers including the attached disk array... took less than 5 minutes. ( we have video footage )
the machines held the (partial) data to some ASIC's we were working on ...
We notified Sun. a few weeks later they popped up with an IP address originating somewhere in a former USSR territory ...
These Sun machines 'call home'. They were dismantled . the Motherboards were thrown away , the CPU'sand memory unplugged and installed in other machines. for some reason these cpu's have a serieal number . so did the memory boards. the inventory program 'notified home; what was installed. lo and behold : there are our cpu's and memory boards ....
they nailed the guys eventually. we got burglared, as well as 3 or 4 other businesses that had the same machines.
turned out the delivery truck driver tipped the crooks of with lists of what he delivered where.
the hi end cpu and memory boards were not for export ... couldn't get them in pisspooristan. so they broke in , stole european machines, stripped them and smuggled parts .
that's why i was amazed that it is so easy to bypass root.
this is an industrial computer that came from the government. for all i care it controlled the timecard of the janitor and the acces to his broom closet.
problem is it was government property and has not been properly sanitized ( drives nuked ) and that is a catastrophical failure...
Where i work machines are really 'sanitized' before discarded. Harddisks are going in a shredder... the TPM chips on the motherboards get a 'treatment' with a 10mm drill. Any workstation that has access to the designs has lockdown on USB. you can't connect external drives , usb sticks or whatever : the computer will not access them. the optical drives are removed. you cannot bring anything on these machines or take off these machines except through the network.
The only machine with tape drive and or disc burner sits in the computer room and only a few people have access to that thing