From owner-freebsd-questions@FreeBSD.ORG Wed Mar 4 14:05:16 2015 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 4ACC1657 for ; Wed, 4 Mar 2015 14:05:16 +0000 (UTC) Received: from mail-wg0-x241.google.com (mail-wg0-x241.google.com [IPv6:2a00:1450:400c:c00::241]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id DBA718A1 for ; Wed, 4 Mar 2015 14:05:15 +0000 (UTC) Received: by wgha1 with SMTP id a1so1597924wgh.0 for ; Wed, 04 Mar 2015 06:05:14 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:reply-to:user-agent:mime-version:to:subject :references:in-reply-to:content-type; bh=iqhbUtbvFgtds8yOvuLYQIfkg4NM1L577YUDnyyaJwI=; b=AyQkYNiUkR2vf4h1KBp9CExPFFbstZdznH2SWLYswsfMq+wKALEoS/yQkLl1nIvUcO ABykZGkCgDVyFSjDRb8r4fGZtoGNFTAcQXl5y+packM5wGbaTYuulRJ3QIKM9QkeB/1b irjI0PUh9lbfX5XCezAvUh0uKjHVUwXSVpvqtvDOVJ3zhd/nU8d6ndtvt/O1jKDFK7pt G4OCcZnHwLg00FV0W7GaZ9phqKq3mcs+AGq56v5Lpmubc0+zMSoEyD109XAEZ3BPSNEF eaN+Hzx03potH/rN21SRk6gbR+R0nQDwMYhM2AsS5zvJwmWOI+lbiRafZXsYSFtu5rdG 4Kdg== X-Received: by 10.180.79.1 with SMTP id f1mr57430849wix.24.1425477914381; Wed, 04 Mar 2015 06:05:14 -0800 (PST) Received: from [192.168.1.100] (124.22.20.95.dynamic.jazztel.es. [95.20.22.124]) by mx.google.com with ESMTPSA id dj5sm6116561wjb.28.2015.03.04.06.05.12 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 04 Mar 2015 06:05:13 -0800 (PST) Message-ID: <54F71117.7050606@gmail.com> Date: Wed, 04 Mar 2015 15:05:11 +0100 From: =?UTF-8?B?UmljYXJkbyBNYXJ0w61u?= Reply-To: fluxwatcher@gmail.com User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Icedove/31.4.0 MIME-Version: 1.0 To: Arthur Chance , freebsd-questions@freebsd.org Subject: Re: Check root password changes done via single user mode References: <54F56A83.3000404@gmail.com> <54F57CD9.2000707@gmail.com> <54F5AF25.7000303@qeng-ho.org> In-Reply-To: <54F5AF25.7000303@qeng-ho.org> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Mar 2015 14:05:16 -0000 On 03/03/15 13:55, Arthur Chance wrote: > On 03/03/2015 09:20, Ricardo Martín wrote: >> >> Indeed, that would be a way of checking the password change, but I was >> more interested in whether such a change could be flagged as being >> carried out from single user mode. >> Or in another words whether the root's passwords has been reset >> accessing the machine during the boot process. >> >> On 03/03/15 09:50, Daniel Peyrolon wrote: >>> What I would do is storing a copy of root's password hash somewhere, >>> and >>> compare it with the recent one. >>> The hash can be read at master.passwd (check passwd(5)). >>> >>> El mar., 3 de marzo de 2015 a las 9:02, Ricardo Martín (< >>> fluxwatcher@gmail.com>) escribió: >>> >>>> hi all, >>>> >>>> wondering which would be the best approach to script check if the root >>>> password has been changed via single user mode. > > What threat model are you considering? Basically that all other deterrent measures, including many of the proposed in the comments, have failed and that the machine has been compromised. >From there on, all you want is to produce as much information as possible to audit and this was one of the basic checks I was thinking of, beyond assessing the tampering of logs, files, etc