Check root password changes done via single user mode
Ricardo Martín
fluxwatcher at gmail.com
Wed Mar 4 14:05:16 UTC 2015
On 03/03/15 13:55, Arthur Chance wrote:
> On 03/03/2015 09:20, Ricardo Martín wrote:
>>
>> Indeed, that would be a way of checking the password change, but I was
>> more interested in whether such a change could be flagged as being
>> carried out from single user mode.
>> Or in another words whether the root's passwords has been reset
>> accessing the machine during the boot process.
>>
>> On 03/03/15 09:50, Daniel Peyrolon wrote:
>>> What I would do is storing a copy of root's password hash somewhere,
>>> and
>>> compare it with the recent one.
>>> The hash can be read at master.passwd (check passwd(5)).
>>>
>>> El mar., 3 de marzo de 2015 a las 9:02, Ricardo Martín (<
>>> fluxwatcher at gmail.com>) escribió:
>>>
>>>> hi all,
>>>>
>>>> wondering which would be the best approach to script check if the root
>>>> password has been changed via single user mode.
>
> What threat model are you considering?
Basically that all other deterrent measures, including many of the
proposed in the comments, have failed and that the machine has been
compromised.
>From there on, all you want is to produce as much information as
possible to audit and this was one of the basic checks I was thinking
of, beyond assessing the tampering of logs, files, etc
More information about the freebsd-questions
mailing list