Check root password changes done via single user mode
freebsd at qeng-ho.org
Wed Mar 4 15:01:12 UTC 2015
On 04/03/2015 14:05, Ricardo Martín wrote:
> On 03/03/15 13:55, Arthur Chance wrote:
>> On 03/03/2015 09:20, Ricardo Martín wrote:
>>> Indeed, that would be a way of checking the password change, but I was
>>> more interested in whether such a change could be flagged as being
>>> carried out from single user mode.
>>> Or in another words whether the root's passwords has been reset
>>> accessing the machine during the boot process.
>>> On 03/03/15 09:50, Daniel Peyrolon wrote:
>>>> What I would do is storing a copy of root's password hash somewhere,
>>>> compare it with the recent one.
>>>> The hash can be read at master.passwd (check passwd(5)).
>>>> El mar., 3 de marzo de 2015 a las 9:02, Ricardo Martín (<
>>>> fluxwatcher at gmail.com>) escribió:
>>>>> hi all,
>>>>> wondering which would be the best approach to script check if the root
>>>>> password has been changed via single user mode.
>> What threat model are you considering?
> Basically that all other deterrent measures, including many of the
> proposed in the comments, have failed and that the machine has been
> From there on, all you want is to produce as much information as
> possible to audit and this was one of the basic checks I was thinking
> of, beyond assessing the tampering of logs, files, etc
In other words, you don't actually have a concrete threat model, you're
simply assuming the attacker is powerful enough to overcome any
countermeasures you put in place, and want to know what you can do after
Unfortunately, you still need to decide what strength of attacker you
wish to detect. Theoretically if they have unbounded resources you will
never detect that an attack has taken place. In practice many (most?)
attacks are detectable. However, you have to decide how powerful an
attacker you're trying to defend against/detect - a state level attacker
(i.e. a government and all that implies) or organised crime, or a
meddling co-worker, or a nosy little sister? Unless you specify that,
the only thing you can be sure of is that if you don't look for an
attack you won't find one.
Those who do not learn from computing history are doomed to
More information about the freebsd-questions