From owner-freebsd-questions@FreeBSD.ORG Wed Mar 4 16:35:38 2015 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 26130B0B for ; Wed, 4 Mar 2015 16:35:38 +0000 (UTC) Received: from mail-we0-x244.google.com (mail-we0-x244.google.com [IPv6:2a00:1450:400c:c03::244]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id A1D30D6B for ; Wed, 4 Mar 2015 16:35:37 +0000 (UTC) Received: by wesq59 with SMTP id q59so13430158wes.0 for ; Wed, 04 Mar 2015 08:35:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:reply-to:user-agent:mime-version:to:subject :references:in-reply-to:content-type; bh=s0AMhTat47A/riT3QoKMC0lIOEbCKO6/odiFgd+2vPc=; b=cCrXLec5aNpo2qfQmqfGG0pt929qX7GqiNatj8CNp6+81Vnn5wG0eTdRF7X4fKMqyR TVzIZR3dMFEV5DrHr6PT+YzNUgDHHAq1t0quIDxd8b14bjZevxWTCI45EUz7GamT4vgD rePi3OSYuij+ixg15nee1tAfKlgi01D9C56hjinlbhSGwA7HpAs9K8PG30rc7uTra4ps +FLEd1h/OgC/t1ySaqIp9fm1czmnsoidPIVFg6P8vP6kfIyB7KT3JuEJFeG8/l1QaCUe glZv1/+z5SaYio1mH7AH4bY++SwnaEZ4rAksLamOBxiVynePOSyTR2WV1/UXeZWlDKai 1ewA== X-Received: by 10.180.171.35 with SMTP id ar3mr14755806wic.24.1425486936118; Wed, 04 Mar 2015 08:35:36 -0800 (PST) Received: from [192.168.1.100] (124.22.20.95.dynamic.jazztel.es. [95.20.22.124]) by mx.google.com with ESMTPSA id g5sm6668459wjr.19.2015.03.04.08.35.34 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 04 Mar 2015 08:35:35 -0800 (PST) Message-ID: <54F73455.5080509@gmail.com> Date: Wed, 04 Mar 2015 17:35:33 +0100 From: =?UTF-8?B?UmljYXJkbyBNYXJ0w61u?= Reply-To: fluxwatcher@gmail.com User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Icedove/31.4.0 MIME-Version: 1.0 To: Arthur Chance , freebsd-questions@freebsd.org Subject: Re: Check root password changes done via single user mode References: <54F56A83.3000404@gmail.com> <54F57CD9.2000707@gmail.com> <54F5AF25.7000303@qeng-ho.org> <54F71117.7050606@gmail.com> <54F71E2F.1000705@qeng-ho.org> In-Reply-To: <54F71E2F.1000705@qeng-ho.org> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Mar 2015 16:35:38 -0000 On 03/04/15 16:01, Arthur Chance wrote: > On 04/03/2015 14:05, Ricardo Martín wrote: >> On 03/03/15 13:55, Arthur Chance wrote: >>> On 03/03/2015 09:20, Ricardo Martín wrote: >>>> >>>> Indeed, that would be a way of checking the password change, but I was >>>> more interested in whether such a change could be flagged as being >>>> carried out from single user mode. >>>> Or in another words whether the root's passwords has been reset >>>> accessing the machine during the boot process. >>>> >>>> On 03/03/15 09:50, Daniel Peyrolon wrote: >>>>> What I would do is storing a copy of root's password hash somewhere, >>>>> and >>>>> compare it with the recent one. >>>>> The hash can be read at master.passwd (check passwd(5)). >>>>> >>>>> El mar., 3 de marzo de 2015 a las 9:02, Ricardo Martín (< >>>>> fluxwatcher@gmail.com>) escribió: >>>>> >>>>>> hi all, >>>>>> >>>>>> wondering which would be the best approach to script check if the >>>>>> root >>>>>> password has been changed via single user mode. >>> >>> What threat model are you considering? >> >> Basically that all other deterrent measures, including many of the >> proposed in the comments, have failed and that the machine has been >> compromised. >> >> From there on, all you want is to produce as much information as >> possible to audit and this was one of the basic checks I was thinking >> of, beyond assessing the tampering of logs, files, etc > > In other words, you don't actually have a concrete threat model, > you're simply assuming the attacker is powerful enough to overcome any > countermeasures you put in place, and want to know what you can do > after the fact. > > Unfortunately, you still need to decide what strength of attacker you > wish to detect. Theoretically if they have unbounded resources you > will never detect that an attack has taken place. In practice many > (most?) attacks are detectable. However, you have to decide how > powerful an attacker you're trying to defend against/detect - a state > level attacker (i.e. a government and all that implies) or organised > crime, or a meddling co-worker, or a nosy little sister? Unless you > specify that, the only thing you can be sure of is that if you don't > look for an attack you won't find one. > At this point you might want to review the original post again. It's a simple and specific request for comments about whether if its feasible to somehow flag a root's password reset in SUM. No more, no less.