I want to find the recent username whose password has been changed. Is there any way to get the username?

Thanks Uma

CodePudding user response：

One can easily check the user account password expiry information on Linux. The /etc/shadow files stores actual password in encrypted format for user’s account. You need to use the chage command. It can display password expiry information as well as changes the number of days between password changes and the date of the last password change. This information is used by the system to determine when a user must change his/her password.

CodePudding user response：

You can use auditd to find the recent username or password has been changed. With the following command, you can tell auditd, to generate a log with a specific keyword if a user is created (file /etc/passwd is changed).

auditctl -w /etc/passwd -p war -k passwd_changes

This line tells to auditd when a write occurs on the /etc/passwd, save a log with passwd_changes keyword.

For check auditd log, you have to ways. first one is check the auditd log file that locate in /var/log/audit/audit.log. search passwd_changes in it.

second way is use ausearch command to get report from auditd.

ausearch -i -k passwd_changes