finding exact date/time when a user changed his password last time












2















does linux store such info about date/hour/minute/second when give user password was changed last time? If so, with which command can view it?



"chage -l user" shows only the day when the password was changed.



kind regards,










share|improve this question























  • Which linux? Often there's a sudo/auth log, anything in there?

    – Xen2050
    Oct 4 '17 at 10:28











  • Debian 8.x, Redhat 7.x, but I would not like to rely on logs which change very often, and also grabbed by remote loganalyzer tools for safety...

    – Chris
    Oct 4 '17 at 12:30











  • The right log file should have a line saying when user X ran passwd (or similar), I'm sure there's a way to log all sudo commands - Ubuntu usually does it by default, any Debian-based should be able to, Redhat must be similar, apparently "an I/O logging plugin" is required, but I don't know exactly how to set that up, so just commenting. Other lines & changes to the logfile wouldn't matter

    – Xen2050
    Oct 4 '17 at 12:43











  • All what I wanted to achieve is to be able compare password change date of a user on two different systems, to ensure which one is the newest one. Because chage -l shows only day, I don't know hour/minute/seconds when the password was changes on each system that day (if the day of the change was the same but at different time). For example, on AIX it is possible to see exact time of the password change in EPOCH time format.

    – Chris
    Oct 5 '17 at 14:30


















2















does linux store such info about date/hour/minute/second when give user password was changed last time? If so, with which command can view it?



"chage -l user" shows only the day when the password was changed.



kind regards,










share|improve this question























  • Which linux? Often there's a sudo/auth log, anything in there?

    – Xen2050
    Oct 4 '17 at 10:28











  • Debian 8.x, Redhat 7.x, but I would not like to rely on logs which change very often, and also grabbed by remote loganalyzer tools for safety...

    – Chris
    Oct 4 '17 at 12:30











  • The right log file should have a line saying when user X ran passwd (or similar), I'm sure there's a way to log all sudo commands - Ubuntu usually does it by default, any Debian-based should be able to, Redhat must be similar, apparently "an I/O logging plugin" is required, but I don't know exactly how to set that up, so just commenting. Other lines & changes to the logfile wouldn't matter

    – Xen2050
    Oct 4 '17 at 12:43











  • All what I wanted to achieve is to be able compare password change date of a user on two different systems, to ensure which one is the newest one. Because chage -l shows only day, I don't know hour/minute/seconds when the password was changes on each system that day (if the day of the change was the same but at different time). For example, on AIX it is possible to see exact time of the password change in EPOCH time format.

    – Chris
    Oct 5 '17 at 14:30
















2












2








2








does linux store such info about date/hour/minute/second when give user password was changed last time? If so, with which command can view it?



"chage -l user" shows only the day when the password was changed.



kind regards,










share|improve this question














does linux store such info about date/hour/minute/second when give user password was changed last time? If so, with which command can view it?



"chage -l user" shows only the day when the password was changed.



kind regards,







linux






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Oct 4 '17 at 9:16









ChrisChris

4517




4517













  • Which linux? Often there's a sudo/auth log, anything in there?

    – Xen2050
    Oct 4 '17 at 10:28











  • Debian 8.x, Redhat 7.x, but I would not like to rely on logs which change very often, and also grabbed by remote loganalyzer tools for safety...

    – Chris
    Oct 4 '17 at 12:30











  • The right log file should have a line saying when user X ran passwd (or similar), I'm sure there's a way to log all sudo commands - Ubuntu usually does it by default, any Debian-based should be able to, Redhat must be similar, apparently "an I/O logging plugin" is required, but I don't know exactly how to set that up, so just commenting. Other lines & changes to the logfile wouldn't matter

    – Xen2050
    Oct 4 '17 at 12:43











  • All what I wanted to achieve is to be able compare password change date of a user on two different systems, to ensure which one is the newest one. Because chage -l shows only day, I don't know hour/minute/seconds when the password was changes on each system that day (if the day of the change was the same but at different time). For example, on AIX it is possible to see exact time of the password change in EPOCH time format.

    – Chris
    Oct 5 '17 at 14:30





















  • Which linux? Often there's a sudo/auth log, anything in there?

    – Xen2050
    Oct 4 '17 at 10:28











  • Debian 8.x, Redhat 7.x, but I would not like to rely on logs which change very often, and also grabbed by remote loganalyzer tools for safety...

    – Chris
    Oct 4 '17 at 12:30











  • The right log file should have a line saying when user X ran passwd (or similar), I'm sure there's a way to log all sudo commands - Ubuntu usually does it by default, any Debian-based should be able to, Redhat must be similar, apparently "an I/O logging plugin" is required, but I don't know exactly how to set that up, so just commenting. Other lines & changes to the logfile wouldn't matter

    – Xen2050
    Oct 4 '17 at 12:43











  • All what I wanted to achieve is to be able compare password change date of a user on two different systems, to ensure which one is the newest one. Because chage -l shows only day, I don't know hour/minute/seconds when the password was changes on each system that day (if the day of the change was the same but at different time). For example, on AIX it is possible to see exact time of the password change in EPOCH time format.

    – Chris
    Oct 5 '17 at 14:30



















Which linux? Often there's a sudo/auth log, anything in there?

– Xen2050
Oct 4 '17 at 10:28





Which linux? Often there's a sudo/auth log, anything in there?

– Xen2050
Oct 4 '17 at 10:28













Debian 8.x, Redhat 7.x, but I would not like to rely on logs which change very often, and also grabbed by remote loganalyzer tools for safety...

– Chris
Oct 4 '17 at 12:30





Debian 8.x, Redhat 7.x, but I would not like to rely on logs which change very often, and also grabbed by remote loganalyzer tools for safety...

– Chris
Oct 4 '17 at 12:30













The right log file should have a line saying when user X ran passwd (or similar), I'm sure there's a way to log all sudo commands - Ubuntu usually does it by default, any Debian-based should be able to, Redhat must be similar, apparently "an I/O logging plugin" is required, but I don't know exactly how to set that up, so just commenting. Other lines & changes to the logfile wouldn't matter

– Xen2050
Oct 4 '17 at 12:43





The right log file should have a line saying when user X ran passwd (or similar), I'm sure there's a way to log all sudo commands - Ubuntu usually does it by default, any Debian-based should be able to, Redhat must be similar, apparently "an I/O logging plugin" is required, but I don't know exactly how to set that up, so just commenting. Other lines & changes to the logfile wouldn't matter

– Xen2050
Oct 4 '17 at 12:43













All what I wanted to achieve is to be able compare password change date of a user on two different systems, to ensure which one is the newest one. Because chage -l shows only day, I don't know hour/minute/seconds when the password was changes on each system that day (if the day of the change was the same but at different time). For example, on AIX it is possible to see exact time of the password change in EPOCH time format.

– Chris
Oct 5 '17 at 14:30







All what I wanted to achieve is to be able compare password change date of a user on two different systems, to ensure which one is the newest one. Because chage -l shows only day, I don't know hour/minute/seconds when the password was changes on each system that day (if the day of the change was the same but at different time). For example, on AIX it is possible to see exact time of the password change in EPOCH time format.

– Chris
Oct 5 '17 at 14:30












1 Answer
1






active

oldest

votes


















0














Should be an entry in a log saying when passwd was run & by whom, similar to:



Mar 31 12:41:41 UBUNTU sudo: daniel : TTY=pts/1 ; PWD=/dev ; USER=root ; COMMAND=/usr/bin/passwd root
Mar 31 12:41:52 UBUNTU passwd[25160]: (pam_unix) password changed for root
Mar 31 12:41:52 UBUNTU passwd[25160]: (pam_unix) Password for root was changed


The log file varies depending on the distro, should be somewhere in /var/log though, so something like this should search them all (except maybe old gz'd files, try zgrep?):



grep -R -i passwd /var/log/*


Probably in /var/log/auth.log on Debian, or /var/log/secure on Redhat



But if this user can run any commands, they could edit logs too... so watch for unlimited sudo access.



More info:




  • Are root password changes logged?


  • How to log commands within a “sudo su -”? - Add log_input/output to sudoers, auditctl, snoopylogger, ...

  • Details about sudo commands executed by all user


  • Where are sudo incidents logged? - Best: "It's logged remotely: xkcd.com/838"






share|improve this answer
























  • does anyone the date returned by chage comes from? # chage -l auser|head -1 Last password change : Nov 04, 2016 or this is fake date meaning nothing? I noticed even for a new user created with no password (disabled account) it shows this date of "last password change"...

    – Chris
    Oct 5 '17 at 14:25













  • Unix was different from Windows when doing things. The user has disabled and does not have password, so the null password was considered as a password when the user was created...... even if you cant login with this user.

    – Luciano Andress Martini
    Jun 14 '18 at 19:43











Your Answer








StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1256028%2ffinding-exact-date-time-when-a-user-changed-his-password-last-time%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









0














Should be an entry in a log saying when passwd was run & by whom, similar to:



Mar 31 12:41:41 UBUNTU sudo: daniel : TTY=pts/1 ; PWD=/dev ; USER=root ; COMMAND=/usr/bin/passwd root
Mar 31 12:41:52 UBUNTU passwd[25160]: (pam_unix) password changed for root
Mar 31 12:41:52 UBUNTU passwd[25160]: (pam_unix) Password for root was changed


The log file varies depending on the distro, should be somewhere in /var/log though, so something like this should search them all (except maybe old gz'd files, try zgrep?):



grep -R -i passwd /var/log/*


Probably in /var/log/auth.log on Debian, or /var/log/secure on Redhat



But if this user can run any commands, they could edit logs too... so watch for unlimited sudo access.



More info:




  • Are root password changes logged?


  • How to log commands within a “sudo su -”? - Add log_input/output to sudoers, auditctl, snoopylogger, ...

  • Details about sudo commands executed by all user


  • Where are sudo incidents logged? - Best: "It's logged remotely: xkcd.com/838"






share|improve this answer
























  • does anyone the date returned by chage comes from? # chage -l auser|head -1 Last password change : Nov 04, 2016 or this is fake date meaning nothing? I noticed even for a new user created with no password (disabled account) it shows this date of "last password change"...

    – Chris
    Oct 5 '17 at 14:25













  • Unix was different from Windows when doing things. The user has disabled and does not have password, so the null password was considered as a password when the user was created...... even if you cant login with this user.

    – Luciano Andress Martini
    Jun 14 '18 at 19:43
















0














Should be an entry in a log saying when passwd was run & by whom, similar to:



Mar 31 12:41:41 UBUNTU sudo: daniel : TTY=pts/1 ; PWD=/dev ; USER=root ; COMMAND=/usr/bin/passwd root
Mar 31 12:41:52 UBUNTU passwd[25160]: (pam_unix) password changed for root
Mar 31 12:41:52 UBUNTU passwd[25160]: (pam_unix) Password for root was changed


The log file varies depending on the distro, should be somewhere in /var/log though, so something like this should search them all (except maybe old gz'd files, try zgrep?):



grep -R -i passwd /var/log/*


Probably in /var/log/auth.log on Debian, or /var/log/secure on Redhat



But if this user can run any commands, they could edit logs too... so watch for unlimited sudo access.



More info:




  • Are root password changes logged?


  • How to log commands within a “sudo su -”? - Add log_input/output to sudoers, auditctl, snoopylogger, ...

  • Details about sudo commands executed by all user


  • Where are sudo incidents logged? - Best: "It's logged remotely: xkcd.com/838"






share|improve this answer
























  • does anyone the date returned by chage comes from? # chage -l auser|head -1 Last password change : Nov 04, 2016 or this is fake date meaning nothing? I noticed even for a new user created with no password (disabled account) it shows this date of "last password change"...

    – Chris
    Oct 5 '17 at 14:25













  • Unix was different from Windows when doing things. The user has disabled and does not have password, so the null password was considered as a password when the user was created...... even if you cant login with this user.

    – Luciano Andress Martini
    Jun 14 '18 at 19:43














0












0








0







Should be an entry in a log saying when passwd was run & by whom, similar to:



Mar 31 12:41:41 UBUNTU sudo: daniel : TTY=pts/1 ; PWD=/dev ; USER=root ; COMMAND=/usr/bin/passwd root
Mar 31 12:41:52 UBUNTU passwd[25160]: (pam_unix) password changed for root
Mar 31 12:41:52 UBUNTU passwd[25160]: (pam_unix) Password for root was changed


The log file varies depending on the distro, should be somewhere in /var/log though, so something like this should search them all (except maybe old gz'd files, try zgrep?):



grep -R -i passwd /var/log/*


Probably in /var/log/auth.log on Debian, or /var/log/secure on Redhat



But if this user can run any commands, they could edit logs too... so watch for unlimited sudo access.



More info:




  • Are root password changes logged?


  • How to log commands within a “sudo su -”? - Add log_input/output to sudoers, auditctl, snoopylogger, ...

  • Details about sudo commands executed by all user


  • Where are sudo incidents logged? - Best: "It's logged remotely: xkcd.com/838"






share|improve this answer













Should be an entry in a log saying when passwd was run & by whom, similar to:



Mar 31 12:41:41 UBUNTU sudo: daniel : TTY=pts/1 ; PWD=/dev ; USER=root ; COMMAND=/usr/bin/passwd root
Mar 31 12:41:52 UBUNTU passwd[25160]: (pam_unix) password changed for root
Mar 31 12:41:52 UBUNTU passwd[25160]: (pam_unix) Password for root was changed


The log file varies depending on the distro, should be somewhere in /var/log though, so something like this should search them all (except maybe old gz'd files, try zgrep?):



grep -R -i passwd /var/log/*


Probably in /var/log/auth.log on Debian, or /var/log/secure on Redhat



But if this user can run any commands, they could edit logs too... so watch for unlimited sudo access.



More info:




  • Are root password changes logged?


  • How to log commands within a “sudo su -”? - Add log_input/output to sudoers, auditctl, snoopylogger, ...

  • Details about sudo commands executed by all user


  • Where are sudo incidents logged? - Best: "It's logged remotely: xkcd.com/838"







share|improve this answer












share|improve this answer



share|improve this answer










answered Oct 4 '17 at 13:18









Xen2050Xen2050

10.5k31536




10.5k31536













  • does anyone the date returned by chage comes from? # chage -l auser|head -1 Last password change : Nov 04, 2016 or this is fake date meaning nothing? I noticed even for a new user created with no password (disabled account) it shows this date of "last password change"...

    – Chris
    Oct 5 '17 at 14:25













  • Unix was different from Windows when doing things. The user has disabled and does not have password, so the null password was considered as a password when the user was created...... even if you cant login with this user.

    – Luciano Andress Martini
    Jun 14 '18 at 19:43



















  • does anyone the date returned by chage comes from? # chage -l auser|head -1 Last password change : Nov 04, 2016 or this is fake date meaning nothing? I noticed even for a new user created with no password (disabled account) it shows this date of "last password change"...

    – Chris
    Oct 5 '17 at 14:25













  • Unix was different from Windows when doing things. The user has disabled and does not have password, so the null password was considered as a password when the user was created...... even if you cant login with this user.

    – Luciano Andress Martini
    Jun 14 '18 at 19:43

















does anyone the date returned by chage comes from? # chage -l auser|head -1 Last password change : Nov 04, 2016 or this is fake date meaning nothing? I noticed even for a new user created with no password (disabled account) it shows this date of "last password change"...

– Chris
Oct 5 '17 at 14:25







does anyone the date returned by chage comes from? # chage -l auser|head -1 Last password change : Nov 04, 2016 or this is fake date meaning nothing? I noticed even for a new user created with no password (disabled account) it shows this date of "last password change"...

– Chris
Oct 5 '17 at 14:25















Unix was different from Windows when doing things. The user has disabled and does not have password, so the null password was considered as a password when the user was created...... even if you cant login with this user.

– Luciano Andress Martini
Jun 14 '18 at 19:43





Unix was different from Windows when doing things. The user has disabled and does not have password, so the null password was considered as a password when the user was created...... even if you cant login with this user.

– Luciano Andress Martini
Jun 14 '18 at 19:43


















draft saved

draft discarded




















































Thanks for contributing an answer to Super User!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1256028%2ffinding-exact-date-time-when-a-user-changed-his-password-last-time%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

Сан-Квентин

8-я гвардейская общевойсковая армия

Алькесар