Date: Wed, 04 Mar 2015 15:05:11 +0100 From: =?UTF-8?B?UmljYXJkbyBNYXJ0w61u?= <fluxwatcher@gmail.com> To: Arthur Chance <freebsd@qeng-ho.org>, freebsd-questions@freebsd.org Subject: Re: Check root password changes done via single user mode Message-ID: <54F71117.7050606@gmail.com> In-Reply-To: <54F5AF25.7000303@qeng-ho.org> References: <54F56A83.3000404@gmail.com> <CA%2ByaQw_3JJ2tJm32or-UmSpfMFo_jCn_JD1xFw=1E9i9K2reDg@mail.gmail.com> <54F57CD9.2000707@gmail.com> <54F5AF25.7000303@qeng-ho.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 03/03/15 13:55, Arthur Chance wrote: > On 03/03/2015 09:20, Ricardo Martín wrote: >> >> Indeed, that would be a way of checking the password change, but I was >> more interested in whether such a change could be flagged as being >> carried out from single user mode. >> Or in another words whether the root's passwords has been reset >> accessing the machine during the boot process. >> >> On 03/03/15 09:50, Daniel Peyrolon wrote: >>> What I would do is storing a copy of root's password hash somewhere, >>> and >>> compare it with the recent one. >>> The hash can be read at master.passwd (check passwd(5)). >>> >>> El mar., 3 de marzo de 2015 a las 9:02, Ricardo Martín (< >>> fluxwatcher@gmail.com>) escribió: >>> >>>> hi all, >>>> >>>> wondering which would be the best approach to script check if the root >>>> password has been changed via single user mode. > > What threat model are you considering? Basically that all other deterrent measures, including many of the proposed in the comments, have failed and that the machine has been compromised. >From there on, all you want is to produce as much information as possible to audit and this was one of the basic checks I was thinking of, beyond assessing the tampering of logs, files, etc
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?54F71117.7050606>