Bug 56288 - pam_unix fails to log password changes
pam_unix fails to log password changes
Status: CLOSED NOTABUG
Product: Red Hat Linux
Classification: Retired
Component: pam (Show other bugs)
7.2
All Linux
medium Severity medium
: ---
: ---
Assigned To: Nalin Dahyabhai
Aaron Brown
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2001-11-14 20:32 EST by R P Herrold
Modified: 2007-04-18 12:38 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2002-12-18 11:11:58 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description R P Herrold 2001-11-14 20:32:45 EST
Credible auditting and sysadmin include being able to back-track changes 
on accounts.  Formerly RH provided a logged event when a password change 
occurred;  This may be used to determine the pattern of unauthorized use 
of a host...

From a transcript on this topic:

> > > A colleague of mine noticed that as of RHL71 or RHL72, password 
change 
> > > events are no longer syslogged at all.  Is this intentional?
> > 
> > I don't think so.  Is your colleague changing passwords using usermod
> > or passwd?  If it's being done with passwd, which PAM modules are 
being
> > used on the system?  Some of the messages might have been changed to
> > debug messages, as I do see more data in my debug log than in either
> > securelog or messages....
> 

===========================================

> > I can't find code in pam_unix or passwd itself which logs successful
> > non-NIS password changes, and I don't think there was any before 
(though
> > pam_pwdb does log successful password changes).  Do the old log 
messages
> > resemble "password for (username/uuid) changed by (username/uid)"?
> 
> Yes; at least in RHL62, the following is logged:
> 
> Nov 15 01:03:06 <elided> PAM_pwdb[2451]: password for (psa/158) 
> changed by (psa/158)
> 
> This is not done in RHL72 at least.
Comment 1 Alan Cox 2002-12-18 11:11:58 EST
Current RH is certainly providing this

"password changed for alan" is logged as expected

Users own password changes are not logged

Closing as NOTABUG. Feel free to disagree if you think there should be a
facility to log own password changes

Note You need to log in before you can comment on or make changes to this bug.