From owner-freebsd-questions@FreeBSD.ORG Wed Mar 4 18:12:37 2015 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 3A3B2873 for ; Wed, 4 Mar 2015 18:12:37 +0000 (UTC) Received: from bede.qeng-ho.org (bede.qeng-ho.org [217.155.128.241]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id C3F6DB87 for ; Wed, 4 Mar 2015 18:12:36 +0000 (UTC) Received: from arthur.home.qeng-ho.org (arthur.home.qeng-ho.org [172.23.1.2]) by bede.home.qeng-ho.org (8.14.9/8.14.7) with ESMTP id t24ICWMq024917; Wed, 4 Mar 2015 18:12:33 GMT (envelope-from freebsd@qeng-ho.org) Message-ID: <54F74B10.7090901@qeng-ho.org> Date: Wed, 04 Mar 2015 18:12:32 +0000 From: Arthur Chance User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0 MIME-Version: 1.0 To: zep , freebsd-questions@freebsd.org Subject: Re: Check root password changes done via single user mode References: <54F56A83.3000404@gmail.com> <54F57CD9.2000707@gmail.com> <54F5AF25.7000303@qeng-ho.org> <54F71117.7050606@gmail.com> <54F71E2F.1000705@qeng-ho.org> <54F73455.5080509@gmail.com> <54F7351A.4010900@gmail.com> In-Reply-To: <54F7351A.4010900@gmail.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Mar 2015 18:12:37 -0000 On 04/03/2015 16:38, zep wrote: > > > On 03/04/2015 11:35 AM, Ricardo Martín wrote: >> At this point you might want to review the original post again. >> It's a simple and specific request for comments about whether if its >> feasible to somehow flag a root's password reset in SUM. >> No more, no less. >> > > perhaps you should review the responses. the short answer is 'sort > of, but not really the way you seem want to; also it's a bit of a fool's > errand and whoever pointed you down this path doesn't like you very much'. > I'd agree with that. :-) If someone has simply changed the root password and done nothing else it's trivial to detect that it's changed - the daily periodic password backup will do that and it's enabled by default. You might also be able to decide whether it happened during multi- or single- user mode based on the modification time of the password file. If the person who changed it doesn't want you to find out it's changed, you are going to have a learning experience. -- Those who do not learn from computing history are doomed to GOTO 1