Check root password changes done via single user mode

Ricardo Martín fluxwatcher at
Wed Mar 4 14:05:16 UTC 2015

On 03/03/15 13:55, Arthur Chance wrote:
> On 03/03/2015 09:20, Ricardo Martín wrote:
>> Indeed, that would be a way of checking the password change, but I was
>> more interested in whether such a change could be flagged as being
>> carried out from single user mode.
>> Or in another words whether the root's passwords has been reset
>> accessing the machine during the boot process.
>> On 03/03/15 09:50, Daniel Peyrolon wrote:
>>> What I would do is storing a copy of root's password hash somewhere,
>>> and
>>> compare it with the recent one.
>>> The hash can be read at master.passwd (check passwd(5)).
>>> El mar., 3 de marzo de 2015 a las 9:02, Ricardo Martín (<
>>> fluxwatcher at>) escribió:
>>>> hi all,
>>>> wondering which would be the best approach to script check if the root
>>>> password has been changed via single user mode.
> What threat model are you considering?

Basically that all other deterrent measures, including many of the
proposed in the comments, have failed and that the machine has been

>From there on, all you want is to produce as much information as
possible to audit and this was one of the basic checks I was thinking
of, beyond assessing the tampering of logs, files, etc

More information about the freebsd-questions mailing list