How to view the history of the command "passwd <username>"

linux security password audit

6,075

You can't tell who issued a passwd and from where.

But my Ubuntu is configured to log password changes to /var/log/auth.log and my RHEL and CentOS log password changes to /var/log/secure, if they are made with the passwd command. You will see pam_unix(passwd:chauthtok): password changed for messages.

So unless somebody modified /etc/shadow directly (possible for an admin) you can see when a password was set.

When the current password was set is also stored in /etc/shadow

See https://linux.die.net/man/3/shadow and https://linux.die.net/man/5/shadow

The third field in the file containing the password hashes /etc/shadow is sp_lstchg - the number of days since Jan 1, 1970 when the password was last changed.

root@serverfault:~# grep root /etc/shadow
root:*:17928:0:99999:7:::
       ^^^^^

root@serverfault:~# date --date '1970-01-01 +17928days'
Fri Feb  1 00:00:00 CET 2019

6,075

Prince Tagoe

Updated on September 18, 2022

Comments

Prince Tagoe over 1 year

I'am looking for a way to audit the history of password change for the user root (the passwd command) for a local network server.

How i can view the date and/or the time of execution this command and by IP address?