does linux store such info about date/hour/minute/second when give user password was changed last time? If so, with which command can view it?
"chage -l user" shows only the day when the password was changed.
kind regards,
42 Answers
Should be an entry in a log saying when passwd was run & by whom, similar to:
Mar 31 12:41:41 UBUNTU sudo: daniel : TTY=pts/1 ; PWD=/dev ; USER=root ; COMMAND=/usr/bin/passwd root
Mar 31 12:41:52 UBUNTU passwd[25160]: (pam_unix) password changed for root
Mar 31 12:41:52 UBUNTU passwd[25160]: (pam_unix) Password for root was changedThe log file varies depending on the distro, should be somewhere in /var/log though, so something like this should search them all (except maybe old gz'd files, try zgrep?):
grep -R -i passwd /var/log/*Probably in /var/log/auth.log on Debian, or /var/log/secure on Redhat
But if this user can run any commands, they could edit logs too... so watch for unlimited sudo access.
More info:
- Are root password changes logged?
- How to log commands within a “sudo su -”? - Add log_input/output to sudoers, auditctl, snoopylogger, ...
- Details about sudo commands executed by all user
- Where are sudo incidents logged? - Best: "It's logged remotely: "
Recent password changes can be seen via -S
# passwd USERNAME -S
USERNAME PS 2020-11-27 0 99999 7 -1 (SHA512.) 1