Check root password changes done via single user mode

Arthur Chance freebsd at qeng-ho.org
Wed Mar 4 18:12:37 UTC 2015


On 04/03/2015 16:38, zep wrote:
>
>
> On 03/04/2015 11:35 AM, Ricardo Martín wrote:
>> At this point you might want to review the original post again.
>> It's a simple and specific request for comments about whether if its
>> feasible to somehow flag a root's password reset in SUM.
>> No more, no less.
>>

>
> perhaps you should review the responses.    the short answer is 'sort
> of, but not really the way you seem want to; also it's a bit of a fool's
> errand and whoever pointed you down this path doesn't like you very much'.
>

I'd agree with that. :-)

If someone has simply changed the root password and done nothing else 
it's trivial to detect that it's changed - the daily periodic password 
backup will do that and it's enabled by default. You might also be able 
to decide whether it happened during multi- or single- user mode based 
on the modification time of the password file.

If the person who changed it doesn't want you to find out it's changed, 
you are going to have a learning experience.

-- 
Those who do not learn from computing history are doomed to
GOTO 1


More information about the freebsd-questions mailing list