How to check which user has changed their or other user's password?

How can I capture (if there is a log file somewhere) when a user changes their password or another user’s password?

I see this log but I can’t determine whom change password for user XXXX

Mar 31 12:41:52 UBGGH passwd: pam_unix(passwd:chauthtok): password changed for XXXX

I use centos version 7

Asked By: abd kah

||

Either the user XXXX changed this password or root did.

If you have sudo enabled to allow other users to get root privileges it’s possible one of them could have used it to run passwd as root. Typically a log message will be written when sudo is used, but of course if a user has root privileges they could convceivably remove or otherwise tamper with the log record.

Moving forwards, you can use lastcomm or the far more detailed audit subsystem to track what commands are run by which user. For example,

lastcomm passwd
passwd                 root     __         0.01 secs Thu Jun  9 07:25
Answered By: roaima
Categories: Answers Tags: , ,
Answers are sorted by their score. The answer accepted by the question owner as the best is marked with
at the top-right corner.