Gabe's 3 rules of security: 1. Anyone with physical access to a computer can deny availability. 2. Anyone with root can do anything. 3. Anyone with unfettered physical access can become root. caveat: immutable logs

The caveat here is important - even if someone has physical access to a log the most they can really do is sit on it, use it for carpentry, or burn it.

BTW, this all probably sounds obvious. But I used to find it helpful in risk assessments when someone would create a crazy narrative to justify the impact of a risk. Often times the narrative could be abstracted away to one of the 3 w/ the problem being narrative supplied physical or root access.