From owner-freebsd-questions@FreeBSD.ORG Tue Mar 3 18:59:32 2015 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 13FCE9EE for ; Tue, 3 Mar 2015 18:59:32 +0000 (UTC) Received: from cosmo.uchicago.edu (cosmo.uchicago.edu [128.135.52.97]) by mx1.freebsd.org (Postfix) with ESMTP id C49298F1 for ; Tue, 3 Mar 2015 18:59:31 +0000 (UTC) Received: by cosmo.uchicago.edu (Postfix, from userid 48) id EEDA4CB8C9A; Tue, 3 Mar 2015 12:30:59 -0600 (CST) Received: from 128.135.70.2 (SquirrelMail authenticated user valeri) by cosmo.uchicago.edu with HTTP; Tue, 3 Mar 2015 12:30:59 -0600 (CST) Message-ID: <55152.128.135.70.2.1425407459.squirrel@cosmo.uchicago.edu> In-Reply-To: <20150303190836.8260c9ba.freebsd@edvax.de> References: <54F56A83.3000404@gmail.com> <54F57CD9.2000707@gmail.com> <54F5AF25.7000303@qeng-ho.org> <20150303141633.c38bdc7b.freebsd@edvax.de> <20150303190836.8260c9ba.freebsd@edvax.de> Date: Tue, 3 Mar 2015 12:30:59 -0600 (CST) Subject: Re: Check root password changes done via single user mode From: "Valeri Galtsev" To: "Polytropon" Reply-To: galtsev@kicp.uchicago.edu User-Agent: SquirrelMail/1.4.8-5.el5.centos.7 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Cc: FreeBSD Questions Mailing List X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Mar 2015 18:59:32 -0000 On Tue, March 3, 2015 12:08 pm, Polytropon wrote: > On Tue, 3 Mar 2015 06:02:13 -0800, Mehmet Erol Sanliturk wrote: >> If any one is in front of the console , he/she may use a boot CD/DVD/USB >> stick to boot a copy of the operating system , and do whatever wants to >> do . > > Only if booting from removable media is enabled in the > BIOS or EFI, and if it's not, a password protection would > stop the attacker from changing the setting. > > It's not that anything possible couldn't be made impossible > by a clever trick, still leaving several other possible ways > of doing it... ;-) > > On the other hand: If physical access has already been > gained, the attacker could remove the hard disk and use > it, for example with an USB adapter, with his own equipment > he brought. Of course it's possible to prevent that attack > by using non-standard screws, which only works as long as > the attacker doesn't have the right tools for those screws. > Indeed: first level of security: physical access. Then removing all boot options except your system drive (can be overridden by opening pox and putting in "clear CMOS" jumper...). The drive can be removed and mounted elsewhere (takes yet even longer). Drive encryption helps (but drive encryption == hassle to be there and type decryption password during boot)... And all of them will require physical access. However: if you have a good system integrity watch system (and every time the file with password hashes changes you maintain a way to verify that it is not root password hash that has changed in that file), then you should be more or less confident in your system (or root password). Until you find the system has rebooted without your command for reboot. That particular event should call for thorough forensic investigation and damage assessment; just reboot itself, even if the length between power off and power on is really short, could still be associated with potential leak of your sensitive stuff, like password hashes. Or that could be very small first step, just dropping in some malicious binary which you might execute at some point later making for them next tiny step toward the compromise of your machine... As it was already said: the security of your box has its cost; as every person has one's cost (again, from bad movies: this cost may be life of your relative). So, luckily for us, the value of stuff we have on our boxes doesn't compare to extreme "costs" one can go to to compromise them (knocking on wood when implying neither of our boxes is compromised ;-) Valeri ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++