finding exact date/time when a user changed his password last time












2















does linux store such info about date/hour/minute/second when give user password was changed last time? If so, with which command can view it?



"chage -l user" shows only the day when the password was changed.



kind regards,






linux







share|improve this question























  • Which linux? Often there's a sudo/auth log, anything in there?

    – Xen2050
    Oct 4 '17 at 10:28











  • Debian 8.x, Redhat 7.x, but I would not like to rely on logs which change very often, and also grabbed by remote loganalyzer tools for safety...

    – Chris
    Oct 4 '17 at 12:30











  • The right log file should have a line saying when user X ran passwd (or similar), I'm sure there's a way to log all sudo commands - Ubuntu usually does it by default, any Debian-based should be able to, Redhat must be similar, apparently "an I/O logging plugin" is required, but I don't know exactly how to set that up, so just commenting. Other lines & changes to the logfile wouldn't matter

    – Xen2050
    Oct 4 '17 at 12:43











  • All what I wanted to achieve is to be able compare password change date of a user on two different systems, to ensure which one is the newest one. Because chage -l shows only day, I don't know hour/minute/seconds when the password was changes on each system that day (if the day of the change was the same but at different time). For example, on AIX it is possible to see exact time of the password change in EPOCH time format.

    – Chris
    Oct 5 '17 at 14:30


















2















does linux store such info about date/hour/minute/second when give user password was changed last time? If so, with which command can view it?



"chage -l user" shows only the day when the password was changed.



kind regards,






linux







share|improve this question























  • Which linux? Often there's a sudo/auth log, anything in there?

    – Xen2050
    Oct 4 '17 at 10:28











  • Debian 8.x, Redhat 7.x, but I would not like to rely on logs which change very often, and also grabbed by remote loganalyzer tools for safety...

    – Chris
    Oct 4 '17 at 12:30











  • The right log file should have a line saying when user X ran passwd (or similar), I'm sure there's a way to log all sudo commands - Ubuntu usually does it by default, any Debian-based should be able to, Redhat must be similar, apparently "an I/O logging plugin" is required, but I don't know exactly how to set that up, so just commenting. Other lines & changes to the logfile wouldn't matter

    – Xen2050
    Oct 4 '17 at 12:43











  • All what I wanted to achieve is to be able compare password change date of a user on two different systems, to ensure which one is the newest one. Because chage -l shows only day, I don't know hour/minute/seconds when the password was changes on each system that day (if the day of the change was the same but at different time). For example, on AIX it is possible to see exact time of the password change in EPOCH time format.

    – Chris
    Oct 5 '17 at 14:30
















2












2








2








does linux store such info about date/hour/minute/second when give user password was changed last time? If so, with which command can view it?



"chage -l user" shows only the day when the password was changed.



kind regards,






linux







share|improve this question














does linux store such info about date/hour/minute/second when give user password was changed last time? If so, with which command can view it?



"chage -l user" shows only the day when the password was changed.



kind regards,






linux




linux






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Oct 4 '17 at 9:16









ChrisChris

4517




4517













  • Which linux? Often there's a sudo/auth log, anything in there?

    – Xen2050
    Oct 4 '17 at 10:28











  • Debian 8.x, Redhat 7.x, but I would not like to rely on logs which change very often, and also grabbed by remote loganalyzer tools for safety...

    – Chris
    Oct 4 '17 at 12:30











  • The right log file should have a line saying when user X ran passwd (or similar), I'm sure there's a way to log all sudo commands - Ubuntu usually does it by default, any Debian-based should be able to, Redhat must be similar, apparently "an I/O logging plugin" is required, but I don't know exactly how to set that up, so just commenting. Other lines & changes to the logfile wouldn't matter

    – Xen2050
    Oct 4 '17 at 12:43











  • All what I wanted to achieve is to be able compare password change date of a user on two different systems, to ensure which one is the newest one. Because chage -l shows only day, I don't know hour/minute/seconds when the password was changes on each system that day (if the day of the change was the same but at different time). For example, on AIX it is possible to see exact time of the password change in EPOCH time format.

    – Chris
    Oct 5 '17 at 14:30





















  • Which linux? Often there's a sudo/auth log, anything in there?

    – Xen2050
    Oct 4 '17 at 10:28











  • Debian 8.x, Redhat 7.x, but I would not like to rely on logs which change very often, and also grabbed by remote loganalyzer tools for safety...

    – Chris
    Oct 4 '17 at 12:30











  • The right log file should have a line saying when user X ran passwd (or similar), I'm sure there's a way to log all sudo commands - Ubuntu usually does it by default, any Debian-based should be able to, Redhat must be similar, apparently "an I/O logging plugin" is required, but I don't know exactly how to set that up, so just commenting. Other lines & changes to the logfile wouldn't matter

    – Xen2050
    Oct 4 '17 at 12:43











  • All what I wanted to achieve is to be able compare password change date of a user on two different systems, to ensure which one is the newest one. Because chage -l shows only day, I don't know hour/minute/seconds when the password was changes on each system that day (if the day of the change was the same but at different time). For example, on AIX it is possible to see exact time of the password change in EPOCH time format.

    – Chris
    Oct 5 '17 at 14:30



















Which linux? Often there's a sudo/auth log, anything in there?

– Xen2050
Oct 4 '17 at 10:28





Which linux? Often there's a sudo/auth log, anything in there?

– Xen2050
Oct 4 '17 at 10:28













Debian 8.x, Redhat 7.x, but I would not like to rely on logs which change very often, and also grabbed by remote loganalyzer tools for safety...

– Chris
Oct 4 '17 at 12:30





Debian 8.x, Redhat 7.x, but I would not like to rely on logs which change very often, and also grabbed by remote loganalyzer tools for safety...

– Chris
Oct 4 '17 at 12:30













The right log file should have a line saying when user X ran passwd (or similar), I'm sure there's a way to log all sudo commands - Ubuntu usually does it by default, any Debian-based should be able to, Redhat must be similar, apparently "an I/O logging plugin" is required, but I don't know exactly how to set that up, so just commenting. Other lines & changes to the logfile wouldn't matter

– Xen2050
Oct 4 '17 at 12:43





The right log file should have a line saying when user X ran passwd (or similar), I'm sure there's a way to log all sudo commands - Ubuntu usually does it by default, any Debian-based should be able to, Redhat must be similar, apparently "an I/O logging plugin" is required, but I don't know exactly how to set that up, so just commenting. Other lines & changes to the logfile wouldn't matter

– Xen2050
Oct 4 '17 at 12:43













All what I wanted to achieve is to be able compare password change date of a user on two different systems, to ensure which one is the newest one. Because chage -l shows only day, I don't know hour/minute/seconds when the password was changes on each system that day (if the day of the change was the same but at different time). For example, on AIX it is possible to see exact time of the password change in EPOCH time format.

– Chris
Oct 5 '17 at 14:30







All what I wanted to achieve is to be able compare password change date of a user on two different systems, to ensure which one is the newest one. Because chage -l shows only day, I don't know hour/minute/seconds when the password was changes on each system that day (if the day of the change was the same but at different time). For example, on AIX it is possible to see exact time of the password change in EPOCH time format.

– Chris
Oct 5 '17 at 14:30












1 Answer
1






active

oldest

votes


















0














Should be an entry in a log saying when passwd was run & by whom, similar to:



Mar 31 12:41:41 UBUNTU sudo: daniel : TTY=pts/1 ; PWD=/dev ; USER=root ; COMMAND=/usr/bin/passwd root

Mar 31 12:41:52 UBUNTU passwd[25160]: (pam_unix) password changed for root

Mar 31 12:41:52 UBUNTU passwd[25160]: (pam_unix) Password for root was changed


The log file varies depending on the distro, should be somewhere in /var/log though, so something like this should search them all (except maybe old gz'd files, try zgrep?):



grep -R -i passwd /var/log/*


Probably in /var/log/auth.log on Debian, or /var/log/secure on Redhat



But if this user can run any commands, they could edit logs too... so watch for unlimited sudo access.



More info:




  • Are root password changes logged?


  • How to log commands within a “sudo su -”? - Add log_input/output to sudoers, auditctl, snoopylogger, ...

  • Details about sudo commands executed by all user


  • Where are sudo incidents logged? - Best: "It's logged remotely: xkcd.com/838"






share|improve this answer
























  • does anyone the date returned by chage comes from? # chage -l auser|head -1 Last password change : Nov 04, 2016 or this is fake date meaning nothing? I noticed even for a new user created with no password (disabled account) it shows this date of "last password change"...

    – Chris
    Oct 5 '17 at 14:25













  • Unix was different from Windows when doing things. The user has disabled and does not have password, so the null password was considered as a password when the user was created...... even if you cant login with this user.

    – Luciano Andress Martini
    Jun 14 '18 at 19:43











Your Answer








StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1256028%2ffinding-exact-date-time-when-a-user-changed-his-password-last-time%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









0














Should be an entry in a log saying when passwd was run & by whom, similar to:



Mar 31 12:41:41 UBUNTU sudo: daniel : TTY=pts/1 ; PWD=/dev ; USER=root ; COMMAND=/usr/bin/passwd root

Mar 31 12:41:52 UBUNTU passwd[25160]: (pam_unix) password changed for root

Mar 31 12:41:52 UBUNTU passwd[25160]: (pam_unix) Password for root was changed


The log file varies depending on the distro, should be somewhere in /var/log though, so something like this should search them all (except maybe old gz'd files, try zgrep?):



grep -R -i passwd /var/log/*


Probably in /var/log/auth.log on Debian, or /var/log/secure on Redhat



But if this user can run any commands, they could edit logs too... so watch for unlimited sudo access.



More info:




  • Are root password changes logged?


  • How to log commands within a “sudo su -”? - Add log_input/output to sudoers, auditctl, snoopylogger, ...

  • Details about sudo commands executed by all user


  • Where are sudo incidents logged? - Best: "It's logged remotely: xkcd.com/838"






share|improve this answer
























  • does anyone the date returned by chage comes from? # chage -l auser|head -1 Last password change : Nov 04, 2016 or this is fake date meaning nothing? I noticed even for a new user created with no password (disabled account) it shows this date of "last password change"...

    – Chris
    Oct 5 '17 at 14:25













  • Unix was different from Windows when doing things. The user has disabled and does not have password, so the null password was considered as a password when the user was created...... even if you cant login with this user.

    – Luciano Andress Martini
    Jun 14 '18 at 19:43
















0














Should be an entry in a log saying when passwd was run & by whom, similar to:



Mar 31 12:41:41 UBUNTU sudo: daniel : TTY=pts/1 ; PWD=/dev ; USER=root ; COMMAND=/usr/bin/passwd root

Mar 31 12:41:52 UBUNTU passwd[25160]: (pam_unix) password changed for root

Mar 31 12:41:52 UBUNTU passwd[25160]: (pam_unix) Password for root was changed


The log file varies depending on the distro, should be somewhere in /var/log though, so something like this should search them all (except maybe old gz'd files, try zgrep?):



grep -R -i passwd /var/log/*


Probably in /var/log/auth.log on Debian, or /var/log/secure on Redhat



But if this user can run any commands, they could edit logs too... so watch for unlimited sudo access.



More info:




  • Are root password changes logged?


  • How to log commands within a “sudo su -”? - Add log_input/output to sudoers, auditctl, snoopylogger, ...

  • Details about sudo commands executed by all user


  • Where are sudo incidents logged? - Best: "It's logged remotely: xkcd.com/838"






share|improve this answer
























  • does anyone the date returned by chage comes from? # chage -l auser|head -1 Last password change : Nov 04, 2016 or this is fake date meaning nothing? I noticed even for a new user created with no password (disabled account) it shows this date of "last password change"...

    – Chris
    Oct 5 '17 at 14:25













  • Unix was different from Windows when doing things. The user has disabled and does not have password, so the null password was considered as a password when the user was created...... even if you cant login with this user.

    – Luciano Andress Martini
    Jun 14 '18 at 19:43














0












0








0







Should be an entry in a log saying when passwd was run & by whom, similar to:



Mar 31 12:41:41 UBUNTU sudo: daniel : TTY=pts/1 ; PWD=/dev ; USER=root ; COMMAND=/usr/bin/passwd root

Mar 31 12:41:52 UBUNTU passwd[25160]: (pam_unix) password changed for root

Mar 31 12:41:52 UBUNTU passwd[25160]: (pam_unix) Password for root was changed


The log file varies depending on the distro, should be somewhere in /var/log though, so something like this should search them all (except maybe old gz'd files, try zgrep?):



grep -R -i passwd /var/log/*


Probably in /var/log/auth.log on Debian, or /var/log/secure on Redhat



But if this user can run any commands, they could edit logs too... so watch for unlimited sudo access.



More info:




  • Are root password changes logged?


  • How to log commands within a “sudo su -”? - Add log_input/output to sudoers, auditctl, snoopylogger, ...

  • Details about sudo commands executed by all user


  • Where are sudo incidents logged? - Best: "It's logged remotely: xkcd.com/838"






share|improve this answer













Should be an entry in a log saying when passwd was run & by whom, similar to:



Mar 31 12:41:41 UBUNTU sudo: daniel : TTY=pts/1 ; PWD=/dev ; USER=root ; COMMAND=/usr/bin/passwd root

Mar 31 12:41:52 UBUNTU passwd[25160]: (pam_unix) password changed for root

Mar 31 12:41:52 UBUNTU passwd[25160]: (pam_unix) Password for root was changed


The log file varies depending on the distro, should be somewhere in /var/log though, so something like this should search them all (except maybe old gz'd files, try zgrep?):



grep -R -i passwd /var/log/*


Probably in /var/log/auth.log on Debian, or /var/log/secure on Redhat



But if this user can run any commands, they could edit logs too... so watch for unlimited sudo access.



More info:




  • Are root password changes logged?


  • How to log commands within a “sudo su -”? - Add log_input/output to sudoers, auditctl, snoopylogger, ...

  • Details about sudo commands executed by all user


  • Where are sudo incidents logged? - Best: "It's logged remotely: xkcd.com/838"







share|improve this answer












share|improve this answer



share|improve this answer










answered Oct 4 '17 at 13:18









Xen2050Xen2050

10.5k31536




10.5k31536













  • does anyone the date returned by chage comes from? # chage -l auser|head -1 Last password change : Nov 04, 2016 or this is fake date meaning nothing? I noticed even for a new user created with no password (disabled account) it shows this date of "last password change"...

    – Chris
    Oct 5 '17 at 14:25













  • Unix was different from Windows when doing things. The user has disabled and does not have password, so the null password was considered as a password when the user was created...... even if you cant login with this user.

    – Luciano Andress Martini
    Jun 14 '18 at 19:43



















  • does anyone the date returned by chage comes from? # chage -l auser|head -1 Last password change : Nov 04, 2016 or this is fake date meaning nothing? I noticed even for a new user created with no password (disabled account) it shows this date of "last password change"...

    – Chris
    Oct 5 '17 at 14:25













  • Unix was different from Windows when doing things. The user has disabled and does not have password, so the null password was considered as a password when the user was created...... even if you cant login with this user.

    – Luciano Andress Martini
    Jun 14 '18 at 19:43

















does anyone the date returned by chage comes from? # chage -l auser|head -1 Last password change : Nov 04, 2016 or this is fake date meaning nothing? I noticed even for a new user created with no password (disabled account) it shows this date of "last password change"...

– Chris
Oct 5 '17 at 14:25







does anyone the date returned by chage comes from? # chage -l auser|head -1 Last password change : Nov 04, 2016 or this is fake date meaning nothing? I noticed even for a new user created with no password (disabled account) it shows this date of "last password change"...

– Chris
Oct 5 '17 at 14:25















Unix was different from Windows when doing things. The user has disabled and does not have password, so the null password was considered as a password when the user was created...... even if you cant login with this user.

– Luciano Andress Martini
Jun 14 '18 at 19:43





Unix was different from Windows when doing things. The user has disabled and does not have password, so the null password was considered as a password when the user was created...... even if you cant login with this user.

– Luciano Andress Martini
Jun 14 '18 at 19:43


















draft saved

draft discarded




















































Thanks for contributing an answer to Super User!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1256028%2ffinding-exact-date-time-when-a-user-changed-his-password-last-time%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-

Popular posts from this blog

Сан-Квентин

Image
Сан-Квентин Местоположение Сан-Квентин, Калифорния Координаты 37°56′13″ с. ш. 122°29′20″ з. д. H G Я O L Текущий статус Действует Режим безопасности минимальный и максимальный Количество мест 3 302 Открытие Июнь 1852 Находится в ведомстве California Department of Corrections and Rehabilitation Начальник Mike Martel, начальник  Сан-Квентин на Викискладе Сан-Квентин (англ.  San Quentin ) — тюрьма, располагающаяся на 432 акрах (около 1,7 км²), на мысе Сан-Квентин, в округе Марин, штат Калифорния, США. Тюрьма штата Калифорния Сан-Квентин была открыта в июле 1852 года и является старейшей в штате. Она была построена заключёнными, которые проживали в течение строительства на тюремном судне Вабан. В Сан-Квентине отбывали наказание и мужчины, и женщины до 1934 года, когда построили женскую тюрьму в Техачапи и туда перевели всех заключённых женщин. В Сан-Квентине приводятся в исполнение смертные казни, для этого имеется газовая камера, но
Read more

Алькесар

Image
Муниципалитет Алькесар Alquézar Герб 42°10′16″ с. ш. 0°01′27″ в. д. H G Я O L Страна Испания   Испания Автономное сообщество Арагон Провинция Уэска Комарка Сомонтано-де-Барбастро Алькальд Хосе Марияно Альтемир Ласкорс (ИСРП) История и география Площадь 32,36 км² Высота НУМ 660 м Часовой пояс UTC+1, летом UTC+2 Население Население 313 человек ( 2010 ) Плотность 9,92 чел./км² Этнохороним alquezarano/-a Цифровые идентификаторы Телефонный код +34 974 Почтовые индексы 22112 Автомобильный код HU alquezar.org   (исп.) Показать/скрыть карты Алькесар Алькесар Алькесар  Аудио, фото и видео на Викискладе Алькесар (исп.  Alquézar ) — муниципалитет в Испании, входит в провинцию Уэска, в составе автономного сообщества Арагон. Муниципалитет находится в составе района (комарки) Сомонтано-де-Барбастро. Занимает площадь 32,36 км². Население — 321 челове
Read more

Josef Freinademetz

Image
San Ujöp (Giuseppe/Josef) Freinademetz Josef Freinademetz in abiti cinesi   Religioso e missionario   Nascita 15 aprile 1852 Morte 28 gennaio 1908 Venerato da Chiesa cattolica Beatificazione 1975 Canonizzazione 5 ottobre 2003 Ricorrenza 28 gennaio Manuale Ujöp Freinademetz noto anche come Giuseppe o Josef Freinademetz (Oies, 15 aprile 1852 – Taikia, 28 gennaio 1908) è stato un presbitero austriaco, membro della Società del Verbo Divino, fu missionario in Cina; è venerato come santo dalla Chiesa cattolica. .mw-parser-output .citazione-table{margin-bottom:.5em;font-size:95%}.mw-parser-output .citazione-table td{padding:0 1.2em 0 2.4em}.mw-parser-output .citazione-lang{vertical-align:top}.mw-parser-output .citazione-lang td{width:50%}.mw-parser-output .citazione-lang td:first-child{padding:0 0 0 2.4em}.mw-parser-output .citazione-lang td:nth-child(2){padding:0 1.2em} «Io amo la Cina e i cinesi; voglio morire in mezzo a loro, e tra loro
Read more