From owner-freebsd-questions@FreeBSD.ORG Tue Mar 3 12:51:25 2015 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A031834F for ; Tue, 3 Mar 2015 12:51:25 +0000 (UTC) Received: from mx02.qsc.de (mx02.qsc.de [213.148.130.14]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 5DF6C6EA for ; Tue, 3 Mar 2015 12:51:24 +0000 (UTC) Received: from r56.edvax.de (port-92-195-131-196.dynamic.qsc.de [92.195.131.196]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx02.qsc.de (Postfix) with ESMTPS id 1D558276B3; Tue, 3 Mar 2015 13:51:15 +0100 (CET) Received: from r56.edvax.de (localhost [127.0.0.1]) by r56.edvax.de (8.14.5/8.14.5) with SMTP id t23CpF2k002297; Tue, 3 Mar 2015 13:51:15 +0100 (CET) (envelope-from freebsd@edvax.de) Date: Tue, 3 Mar 2015 13:51:15 +0100 From: Polytropon To: fluxwatcher@gmail.com Subject: Re: Check root password changes done via single user mode Message-Id: <20150303135115.adcdef7c.freebsd@edvax.de> In-Reply-To: <54F57CD9.2000707@gmail.com> References: <54F56A83.3000404@gmail.com> <54F57CD9.2000707@gmail.com> Reply-To: Polytropon Organization: EDVAX X-Mailer: Sylpheed 3.1.1 (GTK+ 2.24.5; i386-portbld-freebsd8.2) Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: Daniel Peyrolon , freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Mar 2015 12:51:25 -0000 On Tue, 03 Mar 2015 10:20:25 +0100, Ricardo Mart=EDn wrote: >=20 > Indeed, that would be a way of checking the password change, but I was > more interested in whether such a change could be flagged as being > carried out from single user mode. > Or in another words whether the root's passwords has been reset > accessing the machine during the boot process. It could be possible to monitor root's actions in SUM. To change the root passwort required the / partition being mounted r/w. In this case, it's possible that the (memory buffered) shell history is also written to the history file, leaving an evidence. Of course it's no big deal to _remove_ such evidence. You could try to "hide" additional means of logging in the (limited) SUM boot process, but I don't think such a mechanism is already implemented by default... The problem with SUM is that is is _by intention_ a very limited environment, and still a very powerful environment. That's why you can secure this mode with a password as well, to "seal" the _real_ power of root. :-) --=20 Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ...