Date: Tue, 3 Mar 2015 13:51:15 +0100 From: Polytropon <freebsd@edvax.de> To: fluxwatcher@gmail.com Cc: Daniel Peyrolon <tuchalia@gmail.com>, freebsd-questions@freebsd.org Subject: Re: Check root password changes done via single user mode Message-ID: <20150303135115.adcdef7c.freebsd@edvax.de> In-Reply-To: <54F57CD9.2000707@gmail.com> References: <54F56A83.3000404@gmail.com> <CA%2ByaQw_3JJ2tJm32or-UmSpfMFo_jCn_JD1xFw=1E9i9K2reDg@mail.gmail.com> <54F57CD9.2000707@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 03 Mar 2015 10:20:25 +0100, Ricardo Mart=EDn wrote: >=20 > Indeed, that would be a way of checking the password change, but I was > more interested in whether such a change could be flagged as being > carried out from single user mode. > Or in another words whether the root's passwords has been reset > accessing the machine during the boot process. It could be possible to monitor root's actions in SUM. To change the root passwort required the / partition being mounted r/w. In this case, it's possible that the (memory buffered) shell history is also written to the history file, leaving an evidence. Of course it's no big deal to _remove_ such evidence. You could try to "hide" additional means of logging in the (limited) SUM boot process, but I don't think such a mechanism is already implemented by default... The problem with SUM is that is is _by intention_ a very limited environment, and still a very powerful environment. That's why you can secure this mode with a password as well, to "seal" the _real_ power of root. :-) --=20 Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ...
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20150303135115.adcdef7c.freebsd>