From owner-freebsd-questions@FreeBSD.ORG  Wed Mar  4 18:12:37 2015
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 3A3B2873
 for <freebsd-questions@freebsd.org>; Wed,  4 Mar 2015 18:12:37 +0000 (UTC)
Received: from bede.qeng-ho.org (bede.qeng-ho.org [217.155.128.241])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id C3F6DB87
 for <freebsd-questions@freebsd.org>; Wed,  4 Mar 2015 18:12:36 +0000 (UTC)
Received: from arthur.home.qeng-ho.org (arthur.home.qeng-ho.org [172.23.1.2])
 by bede.home.qeng-ho.org (8.14.9/8.14.7) with ESMTP id
 t24ICWMq024917; Wed, 4 Mar 2015 18:12:33 GMT
 (envelope-from freebsd@qeng-ho.org)
Message-ID: <54F74B10.7090901@qeng-ho.org>
Date: Wed, 04 Mar 2015 18:12:32 +0000
From: Arthur Chance <freebsd@qeng-ho.org>
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64;
 rv:31.0) Gecko/20100101 Thunderbird/31.5.0
MIME-Version: 1.0
To: zep <zgreenfelder@gmail.com>, freebsd-questions@freebsd.org
Subject: Re: Check root password changes done via single user mode
References: <54F56A83.3000404@gmail.com>
 <CA+yaQw_3JJ2tJm32or-UmSpfMFo_jCn_JD1xFw=1E9i9K2reDg@mail.gmail.com>
 <54F57CD9.2000707@gmail.com> <54F5AF25.7000303@qeng-ho.org>
 <54F71117.7050606@gmail.com> <54F71E2F.1000705@qeng-ho.org>
 <54F73455.5080509@gmail.com> <54F7351A.4010900@gmail.com>
In-Reply-To: <54F7351A.4010900@gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Mar 2015 18:12:37 -0000

On 04/03/2015 16:38, zep wrote:
>
>
> On 03/04/2015 11:35 AM, Ricardo Martín wrote:
>> At this point you might want to review the original post again.
>> It's a simple and specific request for comments about whether if its
>> feasible to somehow flag a root's password reset in SUM.
>> No more, no less.
>>

>
> perhaps you should review the responses.    the short answer is 'sort
> of, but not really the way you seem want to; also it's a bit of a fool's
> errand and whoever pointed you down this path doesn't like you very much'.
>

I'd agree with that. :-)

If someone has simply changed the root password and done nothing else 
it's trivial to detect that it's changed - the daily periodic password 
backup will do that and it's enabled by default. You might also be able 
to decide whether it happened during multi- or single- user mode based 
on the modification time of the password file.

If the person who changed it doesn't want you to find out it's changed, 
you are going to have a learning experience.

-- 
Those who do not learn from computing history are doomed to
GOTO 1