Check root password changes done via single user mode
Arthur Chance
freebsd at qeng-ho.org
Wed Mar 4 18:12:37 UTC 2015
On 04/03/2015 16:38, zep wrote:
>
>
> On 03/04/2015 11:35 AM, Ricardo Martín wrote:
>> At this point you might want to review the original post again.
>> It's a simple and specific request for comments about whether if its
>> feasible to somehow flag a root's password reset in SUM.
>> No more, no less.
>>
>
> perhaps you should review the responses. the short answer is 'sort
> of, but not really the way you seem want to; also it's a bit of a fool's
> errand and whoever pointed you down this path doesn't like you very much'.
>
I'd agree with that. :-)
If someone has simply changed the root password and done nothing else
it's trivial to detect that it's changed - the daily periodic password
backup will do that and it's enabled by default. You might also be able
to decide whether it happened during multi- or single- user mode based
on the modification time of the password file.
If the person who changed it doesn't want you to find out it's changed,
you are going to have a learning experience.
--
Those who do not learn from computing history are doomed to
GOTO 1
More information about the freebsd-questions
mailing list