HPE Community
Operating System - HP-UX
1833294 Members
2930 Online
110051 Solutions
New Discussion

is there a log for a root password change

 
SOLVED
Go to solution
Scott_20
Occasional Advisor

‎02-10-2004 02:45 AM

‎02-10-2004 02:45 AM

is there a log for a root password change

when the root password is changed, is it logged specifically anywhere? would sudo log it? please advise. I want to configure our monitoring software to flag for it
thanks,
scott
I'm ok
0 Kudos
Reply
13 REPLIES 13
Pete Randall
Outstanding Contributor

‎02-10-2004 02:50 AM

‎02-10-2004 02:50 AM

Re: is there a log for a root password change

No.


Pete

Pete
0 Kudos
Reply
Jeff Schussele
Honored Contributor

‎02-10-2004 02:56 AM

‎02-10-2004 02:56 AM

Solution

Re: is there a log for a root password change

Hi Scott,

IF the passwd change is accomplished via a sudo command, the sudo log would hold the command of course, but not the value.
But the standard passwd command does not log anywhere AFAIK.

You might consider monitoring root's .sh_history file, but that could be problematic as you'd need to insure it only flags on a passwd command for the root account *only*.

Rgds,
Jeff
PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!
Reply
Fabio Ettore
Honored Contributor

‎02-10-2004 02:57 AM

‎02-10-2004 02:57 AM

Re: is there a log for a root password change

Hi,

interesting question but as far as I know there isn't a log file for that on HP-UX.

Best regards,
Ettore
WISH? IMPROVEMENT!
0 Kudos
Reply
doug mielke
Respected Contributor

‎02-10-2004 03:00 AM

‎02-10-2004 03:00 AM

Re: is there a log for a root password change

Monitoring date on /etc/passwd would work in our shop, but only beacuse almost all of our users log into applications, not Unix.
0 Kudos
Reply
Camel_1
Valued Contributor

‎02-10-2004 03:01 AM

‎02-10-2004 03:01 AM

Re: is there a log for a root password change

If your system has audit turned on and keep tracking the root user/passwd event perhaps you can find out when was the password changed?

Simon
0 Kudos
Reply
Pete Randall
Outstanding Contributor

‎02-10-2004 03:01 AM

‎02-10-2004 03:01 AM

Re: is there a log for a root password change

Well, how about "No, sir - sorry", then?


Pete

Pete
0 Kudos
Reply
MarkSyder
Honored Contributor

‎02-10-2004 07:05 PM

‎02-10-2004 07:05 PM

Re: is there a log for a root password change

Hi Scott,

I'm araid I don't know the answer to your question - I looked at this thread in case I could learn something. But your idea of the points system differs from mine, so maybe it would be a good idea to clarify who is right.

My understanding is that if someone tries to help you, you should give them points even if their answer is not what you wanted to read. This means that Pete's original answer was worthy of points. By giving him 0 points you appear to have suggested that he did not even try to help you. His second posting suggests that he took offence - I suspect that giving him 1 point will add to his offence, rather than take away from it!

Pete has helped me in the past. He is knowledgable and helpful and not the sort of person you want to offend - he may not bother to reply next time you ask a question, and you would be the loser, not Pete.

Anyone else got any opinions on whose interpretation of the points system is correct? I would particularly like the opinion of a moderator.

Mark Syder (like the drink but spelt different)
The triumph of evil requires only that good men do nothing
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎02-10-2004 07:15 PM

‎02-10-2004 07:15 PM

Re: is there a log for a root password change

The answer is no for obvoius security reasons.

The passwd command is logged in the .sh_history or logfile if that is set.

If you logged the password change it could provide a hacker with something He or she couldl use to compare to the encrypted password and start taking guesses at the root password.

This is an activity that must have no record.

The /etc/passwd file does contain information on when the password expires(for most users) and when the password was last changed.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Pete Randall
Outstanding Contributor

‎02-10-2004 11:01 PM

‎02-10-2004 11:01 PM

Re: is there a log for a root password change

Scott/Mark,

Though I think the zero was a bit extreme, I have absolutely no problem with Scott assigning it.

The answer, while technically correct, offered no explanation as to how or why (I was busy and just threw out a quick response). My second response was strictly in jest and I should have put my typical, "I'm kidding" smiley face after it to indicate so but I forgot.

I've helped Scott before and been rewarded for my efforts. I appreciate Mark's point equity efforts but, from my viewpoint, they weren't really necessary.


Pete Randall (like the door knob, only spelled with an "r" instead of an "h" and the last three letters are different but sound the same . . . . . Oh, nevermind!) ;^)

Pete
0 Kudos
Reply
Cheryl Griffin
Honored Contributor

‎02-10-2004 11:11 PM

‎02-10-2004 11:11 PM

Re: is there a log for a root password change

>>Anyone else got any opinions on whose interpretation of the points system is correct? I would particularly like the opinion of a moderator.>>

Mark - How about my opinion? The point system is to mark replies that have value. Pete not only provided the correct response but did so within 5 seconds of the original post. That is value.

Cheryl

"Downtime is a Crime."
0 Kudos
Reply
Jdamian
Respected Contributor

‎02-10-2004 11:15 PM

‎02-10-2004 11:15 PM

Re: is there a log for a root password change

Steven. I don't agree.

You can change the permission of that file to prevent users to read that info.

But sometimes superuser may need to know when a user changed its password.
0 Kudos
Reply
RAC_1
Honored Contributor

‎02-10-2004 11:46 PM

‎02-10-2004 11:46 PM

Re: is there a log for a root password change

If system is in trusted mode, checking the change time of root file should give what you want.

Run a script in the background that checks for change to file /tcb/auth/files/root. And this cript logs it the location you want.
There is no substitute to HARDWORK
0 Kudos
Reply
David Hausman
Occasional Advisor

‎02-11-2004 04:54 AM

‎02-11-2004 04:54 AM

Re: is there a log for a root password change

With Trusted Syetem the passwd change date/time is available by issuing the getprpw command. You will find something like this in the command output;

spwchg=Tue Dec 23 11:38:46 2003
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.