While running some linux w/o the logins-program something like the superseeding might
do the trick, just reading the 3:rd field in /etc/shadow and calculating it off from a
simple 'date +%s', seconds since 1/1 1970.
/Chr.
#!/bin/bash
IFS=''
PATH='/bin:/sbin:/usr/sbin:/usr/bin'
OLDU=`umask`
umask 077
if [ "$1" == "" ];
then echo Need Username as arg. 1;
exit 1
fi
USER=$1
TMP1=/tmp/.4322dateX
TMP2=/tmp/.4322dateX2
TMP3=/tmp/.4322dateX3
echo `date +%s`/60/60/24|bc > $TMP1
grep $USER /etc/shadow|awk -F : '{print $3}' > $TMP2
echo `cat $TMP1`-`cat $TMP2`|bc > $TMP3
echo Days since last password change for user "$USER": `cat $TMP3`
rm -f $TMP1 $TMP2 $TMP3
umask `echo $OLDU`
exit 0
-----Original Message-----
From: leon [mailto:[EMAIL PROTECTED]]
Sent: Thursday, March 14, 2002 19:29
To: 'NP, Ram (CORP, GEITC)'; [EMAIL PROTECTED]
Subject: RE: How to know when was root passwd changed
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
If you are using LDAP you will be able to trace it. If you are
logging to syslog the entry will be in there.
Cheers,
Leon
- -----Original Message-----
From: NP, Ram (CORP, GEITC) [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, March 13, 2002 5:24 AM
To: [EMAIL PROTECTED]
Subject: How to know when was root passwd changed
Hello there,
We have an environment where the root password on a solaris box would
be
there with more than one person and there sure are situations where
the root
password is changed without prior notice. Now could some one tell me
if
there is a way to find out when(time) was the Root passwd changed. I
understand one way would be using Tripwire. since we didnt have
tripwire
earlier on the machine is there a way to recover the time.
thank you
ram
"THIS E-MAIL MESSAGE ALONG WITH ANY ATTACHMENTS IS INTENDED ONLY FOR
THE
ADDRESSEE and may contain confidential and privileged information.
If the reader of this message is not the intended recipient,
you are notified that any dissemination, distribution or copy of this
communication is strictly Prohibited.
If you have received this message by error, please notify us
immediately, return the original mail to the sender and delete the
message from your system."
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
iQA/AwUBPJDr49qAgf0xoaEuEQIZIwCgxvr1NUt6I/LQ3jheIDSUsVKvF2AAnRF9
2a6qAjxmIANAlAII0eXOMyvM
=QatH
-----END PGP SIGNATURE-----
