finding exact date/time when a user changed his password last time












2















does linux store such info about date/hour/minute/second when give user password was changed last time? If so, with which command can view it?



"chage -l user" shows only the day when the password was changed.



kind regards,






linux







share|improve this question























  • Which linux? Often there's a sudo/auth log, anything in there?

    – Xen2050
    Oct 4 '17 at 10:28











  • Debian 8.x, Redhat 7.x, but I would not like to rely on logs which change very often, and also grabbed by remote loganalyzer tools for safety...

    – Chris
    Oct 4 '17 at 12:30











  • The right log file should have a line saying when user X ran passwd (or similar), I'm sure there's a way to log all sudo commands - Ubuntu usually does it by default, any Debian-based should be able to, Redhat must be similar, apparently "an I/O logging plugin" is required, but I don't know exactly how to set that up, so just commenting. Other lines & changes to the logfile wouldn't matter

    – Xen2050
    Oct 4 '17 at 12:43











  • All what I wanted to achieve is to be able compare password change date of a user on two different systems, to ensure which one is the newest one. Because chage -l shows only day, I don't know hour/minute/seconds when the password was changes on each system that day (if the day of the change was the same but at different time). For example, on AIX it is possible to see exact time of the password change in EPOCH time format.

    – Chris
    Oct 5 '17 at 14:30


















2















does linux store such info about date/hour/minute/second when give user password was changed last time? If so, with which command can view it?



"chage -l user" shows only the day when the password was changed.



kind regards,






linux







share|improve this question























  • Which linux? Often there's a sudo/auth log, anything in there?

    – Xen2050
    Oct 4 '17 at 10:28











  • Debian 8.x, Redhat 7.x, but I would not like to rely on logs which change very often, and also grabbed by remote loganalyzer tools for safety...

    – Chris
    Oct 4 '17 at 12:30











  • The right log file should have a line saying when user X ran passwd (or similar), I'm sure there's a way to log all sudo commands - Ubuntu usually does it by default, any Debian-based should be able to, Redhat must be similar, apparently "an I/O logging plugin" is required, but I don't know exactly how to set that up, so just commenting. Other lines & changes to the logfile wouldn't matter

    – Xen2050
    Oct 4 '17 at 12:43











  • All what I wanted to achieve is to be able compare password change date of a user on two different systems, to ensure which one is the newest one. Because chage -l shows only day, I don't know hour/minute/seconds when the password was changes on each system that day (if the day of the change was the same but at different time). For example, on AIX it is possible to see exact time of the password change in EPOCH time format.

    – Chris
    Oct 5 '17 at 14:30
















2












2








2








does linux store such info about date/hour/minute/second when give user password was changed last time? If so, with which command can view it?



"chage -l user" shows only the day when the password was changed.



kind regards,






linux







share|improve this question














does linux store such info about date/hour/minute/second when give user password was changed last time? If so, with which command can view it?



"chage -l user" shows only the day when the password was changed.



kind regards,






linux




linux






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Oct 4 '17 at 9:16









ChrisChris

4517




4517













  • Which linux? Often there's a sudo/auth log, anything in there?

    – Xen2050
    Oct 4 '17 at 10:28











  • Debian 8.x, Redhat 7.x, but I would not like to rely on logs which change very often, and also grabbed by remote loganalyzer tools for safety...

    – Chris
    Oct 4 '17 at 12:30











  • The right log file should have a line saying when user X ran passwd (or similar), I'm sure there's a way to log all sudo commands - Ubuntu usually does it by default, any Debian-based should be able to, Redhat must be similar, apparently "an I/O logging plugin" is required, but I don't know exactly how to set that up, so just commenting. Other lines & changes to the logfile wouldn't matter

    – Xen2050
    Oct 4 '17 at 12:43











  • All what I wanted to achieve is to be able compare password change date of a user on two different systems, to ensure which one is the newest one. Because chage -l shows only day, I don't know hour/minute/seconds when the password was changes on each system that day (if the day of the change was the same but at different time). For example, on AIX it is possible to see exact time of the password change in EPOCH time format.

    – Chris
    Oct 5 '17 at 14:30





















  • Which linux? Often there's a sudo/auth log, anything in there?

    – Xen2050
    Oct 4 '17 at 10:28











  • Debian 8.x, Redhat 7.x, but I would not like to rely on logs which change very often, and also grabbed by remote loganalyzer tools for safety...

    – Chris
    Oct 4 '17 at 12:30











  • The right log file should have a line saying when user X ran passwd (or similar), I'm sure there's a way to log all sudo commands - Ubuntu usually does it by default, any Debian-based should be able to, Redhat must be similar, apparently "an I/O logging plugin" is required, but I don't know exactly how to set that up, so just commenting. Other lines & changes to the logfile wouldn't matter

    – Xen2050
    Oct 4 '17 at 12:43











  • All what I wanted to achieve is to be able compare password change date of a user on two different systems, to ensure which one is the newest one. Because chage -l shows only day, I don't know hour/minute/seconds when the password was changes on each system that day (if the day of the change was the same but at different time). For example, on AIX it is possible to see exact time of the password change in EPOCH time format.

    – Chris
    Oct 5 '17 at 14:30



















Which linux? Often there's a sudo/auth log, anything in there?

– Xen2050
Oct 4 '17 at 10:28





Which linux? Often there's a sudo/auth log, anything in there?

– Xen2050
Oct 4 '17 at 10:28













Debian 8.x, Redhat 7.x, but I would not like to rely on logs which change very often, and also grabbed by remote loganalyzer tools for safety...

– Chris
Oct 4 '17 at 12:30





Debian 8.x, Redhat 7.x, but I would not like to rely on logs which change very often, and also grabbed by remote loganalyzer tools for safety...

– Chris
Oct 4 '17 at 12:30













The right log file should have a line saying when user X ran passwd (or similar), I'm sure there's a way to log all sudo commands - Ubuntu usually does it by default, any Debian-based should be able to, Redhat must be similar, apparently "an I/O logging plugin" is required, but I don't know exactly how to set that up, so just commenting. Other lines & changes to the logfile wouldn't matter

– Xen2050
Oct 4 '17 at 12:43





The right log file should have a line saying when user X ran passwd (or similar), I'm sure there's a way to log all sudo commands - Ubuntu usually does it by default, any Debian-based should be able to, Redhat must be similar, apparently "an I/O logging plugin" is required, but I don't know exactly how to set that up, so just commenting. Other lines & changes to the logfile wouldn't matter

– Xen2050
Oct 4 '17 at 12:43













All what I wanted to achieve is to be able compare password change date of a user on two different systems, to ensure which one is the newest one. Because chage -l shows only day, I don't know hour/minute/seconds when the password was changes on each system that day (if the day of the change was the same but at different time). For example, on AIX it is possible to see exact time of the password change in EPOCH time format.

– Chris
Oct 5 '17 at 14:30







All what I wanted to achieve is to be able compare password change date of a user on two different systems, to ensure which one is the newest one. Because chage -l shows only day, I don't know hour/minute/seconds when the password was changes on each system that day (if the day of the change was the same but at different time). For example, on AIX it is possible to see exact time of the password change in EPOCH time format.

– Chris
Oct 5 '17 at 14:30












1 Answer
1






active

oldest

votes


















0














Should be an entry in a log saying when passwd was run & by whom, similar to:



Mar 31 12:41:41 UBUNTU sudo: daniel : TTY=pts/1 ; PWD=/dev ; USER=root ; COMMAND=/usr/bin/passwd root

Mar 31 12:41:52 UBUNTU passwd[25160]: (pam_unix) password changed for root

Mar 31 12:41:52 UBUNTU passwd[25160]: (pam_unix) Password for root was changed


The log file varies depending on the distro, should be somewhere in /var/log though, so something like this should search them all (except maybe old gz'd files, try zgrep?):



grep -R -i passwd /var/log/*


Probably in /var/log/auth.log on Debian, or /var/log/secure on Redhat



But if this user can run any commands, they could edit logs too... so watch for unlimited sudo access.



More info:




  • Are root password changes logged?


  • How to log commands within a “sudo su -”? - Add log_input/output to sudoers, auditctl, snoopylogger, ...

  • Details about sudo commands executed by all user


  • Where are sudo incidents logged? - Best: "It's logged remotely: xkcd.com/838"






share|improve this answer
























  • does anyone the date returned by chage comes from? # chage -l auser|head -1 Last password change : Nov 04, 2016 or this is fake date meaning nothing? I noticed even for a new user created with no password (disabled account) it shows this date of "last password change"...

    – Chris
    Oct 5 '17 at 14:25













  • Unix was different from Windows when doing things. The user has disabled and does not have password, so the null password was considered as a password when the user was created...... even if you cant login with this user.

    – Luciano Andress Martini
    Jun 14 '18 at 19:43











Your Answer








StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1256028%2ffinding-exact-date-time-when-a-user-changed-his-password-last-time%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









0














Should be an entry in a log saying when passwd was run & by whom, similar to:



Mar 31 12:41:41 UBUNTU sudo: daniel : TTY=pts/1 ; PWD=/dev ; USER=root ; COMMAND=/usr/bin/passwd root

Mar 31 12:41:52 UBUNTU passwd[25160]: (pam_unix) password changed for root

Mar 31 12:41:52 UBUNTU passwd[25160]: (pam_unix) Password for root was changed


The log file varies depending on the distro, should be somewhere in /var/log though, so something like this should search them all (except maybe old gz'd files, try zgrep?):



grep -R -i passwd /var/log/*


Probably in /var/log/auth.log on Debian, or /var/log/secure on Redhat



But if this user can run any commands, they could edit logs too... so watch for unlimited sudo access.



More info:




  • Are root password changes logged?


  • How to log commands within a “sudo su -”? - Add log_input/output to sudoers, auditctl, snoopylogger, ...

  • Details about sudo commands executed by all user


  • Where are sudo incidents logged? - Best: "It's logged remotely: xkcd.com/838"






share|improve this answer
























  • does anyone the date returned by chage comes from? # chage -l auser|head -1 Last password change : Nov 04, 2016 or this is fake date meaning nothing? I noticed even for a new user created with no password (disabled account) it shows this date of "last password change"...

    – Chris
    Oct 5 '17 at 14:25













  • Unix was different from Windows when doing things. The user has disabled and does not have password, so the null password was considered as a password when the user was created...... even if you cant login with this user.

    – Luciano Andress Martini
    Jun 14 '18 at 19:43
















0














Should be an entry in a log saying when passwd was run & by whom, similar to:



Mar 31 12:41:41 UBUNTU sudo: daniel : TTY=pts/1 ; PWD=/dev ; USER=root ; COMMAND=/usr/bin/passwd root

Mar 31 12:41:52 UBUNTU passwd[25160]: (pam_unix) password changed for root

Mar 31 12:41:52 UBUNTU passwd[25160]: (pam_unix) Password for root was changed


The log file varies depending on the distro, should be somewhere in /var/log though, so something like this should search them all (except maybe old gz'd files, try zgrep?):



grep -R -i passwd /var/log/*


Probably in /var/log/auth.log on Debian, or /var/log/secure on Redhat



But if this user can run any commands, they could edit logs too... so watch for unlimited sudo access.



More info:




  • Are root password changes logged?


  • How to log commands within a “sudo su -”? - Add log_input/output to sudoers, auditctl, snoopylogger, ...

  • Details about sudo commands executed by all user


  • Where are sudo incidents logged? - Best: "It's logged remotely: xkcd.com/838"






share|improve this answer
























  • does anyone the date returned by chage comes from? # chage -l auser|head -1 Last password change : Nov 04, 2016 or this is fake date meaning nothing? I noticed even for a new user created with no password (disabled account) it shows this date of "last password change"...

    – Chris
    Oct 5 '17 at 14:25













  • Unix was different from Windows when doing things. The user has disabled and does not have password, so the null password was considered as a password when the user was created...... even if you cant login with this user.

    – Luciano Andress Martini
    Jun 14 '18 at 19:43














0












0








0







Should be an entry in a log saying when passwd was run & by whom, similar to:



Mar 31 12:41:41 UBUNTU sudo: daniel : TTY=pts/1 ; PWD=/dev ; USER=root ; COMMAND=/usr/bin/passwd root

Mar 31 12:41:52 UBUNTU passwd[25160]: (pam_unix) password changed for root

Mar 31 12:41:52 UBUNTU passwd[25160]: (pam_unix) Password for root was changed


The log file varies depending on the distro, should be somewhere in /var/log though, so something like this should search them all (except maybe old gz'd files, try zgrep?):



grep -R -i passwd /var/log/*


Probably in /var/log/auth.log on Debian, or /var/log/secure on Redhat



But if this user can run any commands, they could edit logs too... so watch for unlimited sudo access.



More info:




  • Are root password changes logged?


  • How to log commands within a “sudo su -”? - Add log_input/output to sudoers, auditctl, snoopylogger, ...

  • Details about sudo commands executed by all user


  • Where are sudo incidents logged? - Best: "It's logged remotely: xkcd.com/838"






share|improve this answer













Should be an entry in a log saying when passwd was run & by whom, similar to:



Mar 31 12:41:41 UBUNTU sudo: daniel : TTY=pts/1 ; PWD=/dev ; USER=root ; COMMAND=/usr/bin/passwd root

Mar 31 12:41:52 UBUNTU passwd[25160]: (pam_unix) password changed for root

Mar 31 12:41:52 UBUNTU passwd[25160]: (pam_unix) Password for root was changed


The log file varies depending on the distro, should be somewhere in /var/log though, so something like this should search them all (except maybe old gz'd files, try zgrep?):



grep -R -i passwd /var/log/*


Probably in /var/log/auth.log on Debian, or /var/log/secure on Redhat



But if this user can run any commands, they could edit logs too... so watch for unlimited sudo access.



More info:




  • Are root password changes logged?


  • How to log commands within a “sudo su -”? - Add log_input/output to sudoers, auditctl, snoopylogger, ...

  • Details about sudo commands executed by all user


  • Where are sudo incidents logged? - Best: "It's logged remotely: xkcd.com/838"







share|improve this answer












share|improve this answer



share|improve this answer










answered Oct 4 '17 at 13:18









Xen2050Xen2050

10.5k31536




10.5k31536













  • does anyone the date returned by chage comes from? # chage -l auser|head -1 Last password change : Nov 04, 2016 or this is fake date meaning nothing? I noticed even for a new user created with no password (disabled account) it shows this date of "last password change"...

    – Chris
    Oct 5 '17 at 14:25













  • Unix was different from Windows when doing things. The user has disabled and does not have password, so the null password was considered as a password when the user was created...... even if you cant login with this user.

    – Luciano Andress Martini
    Jun 14 '18 at 19:43



















  • does anyone the date returned by chage comes from? # chage -l auser|head -1 Last password change : Nov 04, 2016 or this is fake date meaning nothing? I noticed even for a new user created with no password (disabled account) it shows this date of "last password change"...

    – Chris
    Oct 5 '17 at 14:25













  • Unix was different from Windows when doing things. The user has disabled and does not have password, so the null password was considered as a password when the user was created...... even if you cant login with this user.

    – Luciano Andress Martini
    Jun 14 '18 at 19:43

















does anyone the date returned by chage comes from? # chage -l auser|head -1 Last password change : Nov 04, 2016 or this is fake date meaning nothing? I noticed even for a new user created with no password (disabled account) it shows this date of "last password change"...

– Chris
Oct 5 '17 at 14:25







does anyone the date returned by chage comes from? # chage -l auser|head -1 Last password change : Nov 04, 2016 or this is fake date meaning nothing? I noticed even for a new user created with no password (disabled account) it shows this date of "last password change"...

– Chris
Oct 5 '17 at 14:25















Unix was different from Windows when doing things. The user has disabled and does not have password, so the null password was considered as a password when the user was created...... even if you cant login with this user.

– Luciano Andress Martini
Jun 14 '18 at 19:43





Unix was different from Windows when doing things. The user has disabled and does not have password, so the null password was considered as a password when the user was created...... even if you cant login with this user.

– Luciano Andress Martini
Jun 14 '18 at 19:43


















draft saved

draft discarded




















































Thanks for contributing an answer to Super User!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1256028%2ffinding-exact-date-time-when-a-user-changed-his-password-last-time%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-

Popular posts from this blog

Список кардиналов, возведённых папой римским Каликстом III

Image
Папа Каликст III Кардиналы, возведённые Папой римским Каликстом III  — 9 прелатов и мирян были возведены в сан кардинала на двух Консисториях за трёхлетний понтификат Каликста III. Самой крупной консисторией были Консистория от 17 декабря 1456 года, на которой было возведено шесть кардиналов. Папа Каллист III хотел назвать отца Жан Сорета, O.Carm., епископом или кардиналом, но он отказался, потому что хотел посвятить себя своему ордену и продвижению религиозного рвения и соблюдения устава монашеского ордена. Консистория от 17 сентября 1456 года | Луис Хуан дель Мила, племянник Его Святейшества, епископ Сегорбе (королевство Арагон); Жайме Португальский, администратор архиепархии Лиссабона (королевство Португалия); Родриго де Борха-и-Борха, племянник Его Святейшества, ризничий Валенсии (Папская область). Консистория от 17 декабря 1456 года | Ринальдо Пишичелло, архиепископ Неаполя (Неаполитанское королевство); Хуан де Мелья, епископ Саморы (королевство Ка
Read more

Deduzione

Image
.mw-parser-output .nota-disambigua{clear:both;margin-bottom:.5em;border:1px solid #CCC;padding-left:4px}.mw-parser-output .nota-disambigua i{vertical-align:middle} Disambiguazione – Se stai cercando il teorema, vedi Teorema di deduzione . Disambiguazione – Se stai cercando il concetto di deduzione in economia, vedi deduzione fiscale . Il ragionamento deduttivo umano assimilato a un meccanismo Il metodo deduttivo o deduzione è il procedimento razionale che fa derivare una certa conclusione da premesse più generiche, dentro cui quella conclusione è implicita. Il termine significa letteralmente «condurre da», perché proviene dal latino "de" (traducibile con da , preposizione indicante provenienza, o moto di discesa dall'alto verso il basso) e "ducere" ( condurre ). Questo metodo parte da postulati e princìpi primi e, attraverso una serie di rigorose concatenazioni logiche, procede verso determinazioni più particolari attinenti alla realtà tangi
Read more

Mysql.sock missing - “Can't connect to local MySQL server through socket”

Image
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box; } 0 Operating System - OSX 10.11.2 MAMP version - 3.5 I'm following along with this guide, setting up wordpress with Xammp on PC and MAMP on Mac, where I'm in step "Mac - 4" is asked to input: "In the Terminal run: /Applications/MAMP/Library/bin/mysqladmin -u root -p password {Your Windows MySQL password here}" However, this (with out bracket text) results in error message: error: 'Can't connect to local MySQL server through socket '/Applications/MAMP/tmp/mysql/mysql.sock' (2)' Check that mysqld is running and that the socket: '/Applications/MAMP/tmp/mysql/mysql.sock'
Read more