Red Hat Bugzilla – Bug 56288
pam_unix fails to log password changes
Last modified: 2007-04-18 12:38:17 EDT
Credible auditting and sysadmin include being able to back-track changes
on accounts. Formerly RH provided a logged event when a password change
occurred; This may be used to determine the pattern of unauthorized use
of a host...
From a transcript on this topic:
> > > A colleague of mine noticed that as of RHL71 or RHL72, password
> > > events are no longer syslogged at all. Is this intentional?
> > I don't think so. Is your colleague changing passwords using usermod
> > or passwd? If it's being done with passwd, which PAM modules are
> > used on the system? Some of the messages might have been changed to
> > debug messages, as I do see more data in my debug log than in either
> > securelog or messages....
> > I can't find code in pam_unix or passwd itself which logs successful
> > non-NIS password changes, and I don't think there was any before
> > pam_pwdb does log successful password changes). Do the old log
> > resemble "password for (username/uuid) changed by (username/uid)"?
> Yes; at least in RHL62, the following is logged:
> Nov 15 01:03:06 <elided> PAM_pwdb: password for (psa/158)
> changed by (psa/158)
> This is not done in RHL72 at least.
Current RH is certainly providing this
"password changed for alan" is logged as expected
Users own password changes are not logged
Closing as NOTABUG. Feel free to disagree if you think there should be a
facility to log own password changes