I've noticed that the messages I'm searching for in splunk to show root
password changes no longer seem to be in the same format. Most of our systems
run RHEL7 release 7.9, and I believe this is a recent change (I've only
noticed this problem in the past 3 months or so?), but we do have an older 7.5
system, so I was able to use that to compare against the 7.5 to identify
what's changed. I wanted to confirm which record I should be using now since
there are several that get generated now
The key differences seem to be in the message generated and the keyname being
used for the account being targeted, but I wanted to confirm that there isn't
some other record I should be looking at to verify that the root password was
changed in the required timeframe since I see several records being generated
from a password change, none of which include anything as conclusive as the old
message that showed the operation as a "password change". Here are some fo
the fields I'm looking at:
type=USER_CHAUTHOK
exe=/usr/bin/passwd
[acct targeted for the passwd change]:
id=root (old format)
acct=root (latest format)
msg
msg='op=change password (old format)
msg='op=PAM:chauthok (latest format)
If you can confirm whether this is the info I should be using now to confirm
password changes, that would be much appreciated.
Thanks so much,
Karen Wieprecht
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
