Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 04 Mar 2015 15:01:03 +0000
From:      Arthur Chance <freebsd@qeng-ho.org>
To:        fluxwatcher@gmail.com, freebsd-questions@freebsd.org
Subject:   Re: Check root password changes done via single user mode
Message-ID:  <54F71E2F.1000705@qeng-ho.org>
In-Reply-To: <54F71117.7050606@gmail.com>
References:  <54F56A83.3000404@gmail.com> <CA%2ByaQw_3JJ2tJm32or-UmSpfMFo_jCn_JD1xFw=1E9i9K2reDg@mail.gmail.com> <54F57CD9.2000707@gmail.com> <54F5AF25.7000303@qeng-ho.org> <54F71117.7050606@gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On 04/03/2015 14:05, Ricardo Martín wrote:
> On 03/03/15 13:55, Arthur Chance wrote:
>> On 03/03/2015 09:20, Ricardo Martín wrote:
>>>
>>> Indeed, that would be a way of checking the password change, but I was
>>> more interested in whether such a change could be flagged as being
>>> carried out from single user mode.
>>> Or in another words whether the root's passwords has been reset
>>> accessing the machine during the boot process.
>>>
>>> On 03/03/15 09:50, Daniel Peyrolon wrote:
>>>> What I would do is storing a copy of root's password hash somewhere,
>>>> and
>>>> compare it with the recent one.
>>>> The hash can be read at master.passwd (check passwd(5)).
>>>>
>>>> El mar., 3 de marzo de 2015 a las 9:02, Ricardo Martín (<
>>>> fluxwatcher@gmail.com>) escribió:
>>>>
>>>>> hi all,
>>>>>
>>>>> wondering which would be the best approach to script check if the root
>>>>> password has been changed via single user mode.
>>
>> What threat model are you considering?
>
> Basically that all other deterrent measures, including many of the
> proposed in the comments, have failed and that the machine has been
> compromised.
>
>  From there on, all you want is to produce as much information as
> possible to audit and this was one of the basic checks I was thinking
> of, beyond assessing the tampering of logs, files, etc

In other words, you don't actually have a concrete threat model, you're 
simply assuming the attacker is powerful enough to overcome any 
countermeasures you put in place, and want to know what you can do after 
the fact.

Unfortunately, you still need to decide what strength of attacker you 
wish to detect. Theoretically if they have unbounded resources you will 
never detect that an attack has taken place. In practice many (most?) 
attacks are detectable. However, you have to decide how powerful an 
attacker you're trying to defend against/detect - a state level attacker 
(i.e. a government and all that implies) or organised crime, or a 
meddling co-worker, or a nosy little sister? Unless you specify that, 
the only thing you can be sure of is that if you don't look for an 
attack you won't find one.

-- 
Those who do not learn from computing history are doomed to
GOTO 1



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?54F71E2F.1000705>