Check root password changes done via single user mode

Ricardo Martín fluxwatcher at gmail.com
Wed Mar 4 16:35:38 UTC 2015


On 03/04/15 16:01, Arthur Chance wrote:
> On 04/03/2015 14:05, Ricardo Martín wrote:
>> On 03/03/15 13:55, Arthur Chance wrote:
>>> On 03/03/2015 09:20, Ricardo Martín wrote:
>>>>
>>>> Indeed, that would be a way of checking the password change, but I was
>>>> more interested in whether such a change could be flagged as being
>>>> carried out from single user mode.
>>>> Or in another words whether the root's passwords has been reset
>>>> accessing the machine during the boot process.
>>>>
>>>> On 03/03/15 09:50, Daniel Peyrolon wrote:
>>>>> What I would do is storing a copy of root's password hash somewhere,
>>>>> and
>>>>> compare it with the recent one.
>>>>> The hash can be read at master.passwd (check passwd(5)).
>>>>>
>>>>> El mar., 3 de marzo de 2015 a las 9:02, Ricardo Martín (<
>>>>> fluxwatcher at gmail.com>) escribió:
>>>>>
>>>>>> hi all,
>>>>>>
>>>>>> wondering which would be the best approach to script check if the
>>>>>> root
>>>>>> password has been changed via single user mode.
>>>
>>> What threat model are you considering?
>>
>> Basically that all other deterrent measures, including many of the
>> proposed in the comments, have failed and that the machine has been
>> compromised.
>>
>>  From there on, all you want is to produce as much information as
>> possible to audit and this was one of the basic checks I was thinking
>> of, beyond assessing the tampering of logs, files, etc
>
> In other words, you don't actually have a concrete threat model,
> you're simply assuming the attacker is powerful enough to overcome any
> countermeasures you put in place, and want to know what you can do
> after the fact.
>
> Unfortunately, you still need to decide what strength of attacker you
> wish to detect. Theoretically if they have unbounded resources you
> will never detect that an attack has taken place. In practice many
> (most?) attacks are detectable. However, you have to decide how
> powerful an attacker you're trying to defend against/detect - a state
> level attacker (i.e. a government and all that implies) or organised
> crime, or a meddling co-worker, or a nosy little sister? Unless you
> specify that, the only thing you can be sure of is that if you don't
> look for an attack you won't find one.
>

At this point you might want to review the original post again.
It's a simple and specific request for comments about whether if its
feasible to somehow flag a root's password reset in SUM.
No more, no less.



More information about the freebsd-questions mailing list