On Thursday, July 8, 2021 2:19:54 PM EDT Wieprecht, Karen M. wrote:
I've noticed that the messages I'm searching for in splunk
to show root
password changes no longer seem to be in the same format. Most of our
systems run RHEL7 release 7.9, and I believe this is a recent change
(I've only noticed this problem in the past 3 months or so?), but we do
have an older 7.5 system, so I was able to use that to compare against
the 7.5 to identify what's changed. I wanted to confirm which record I
should be using now since there are several that get generated now
The key differences seem to be in the message generated and the keyname
being used for the account being targeted, but I wanted to confirm that
there isn't some other record I should be looking at to verify that the
root password was changed in the required timeframe since I see several
records being generated from a password change, none of which include
anything as conclusive as the old message that showed the operation as a
"password change". Here are some fo the fields I'm looking at:
type=USER_CHAUTHOK
exe=/usr/bin/passwd
[acct targeted for the passwd change]:
id=root (old format)
acct=root (latest format)
msg
msg='op=change password (old format)
msg='op=PAM:chauthok (latest format)
If you can confirm whether this is the info I should be using now to
confirm password changes, that would be much appreciated.
I don't have a RHEL 7.9 machine to compare against. I can set one up in about
a week. On 7.6 the event looks like this:
type=USER_CHAUTHTOK msg=audit(1625771196.574:162): pid=5113 uid=0 auid=1000
ses=1 subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 msg='op=change
password id=1000 exe="/usr/bin/passwd" hostname=rhel7.3 addr=? terminal=pts/0
res=success'
The problem is that "op= change passwd" has a space in it and will not parse
right. I have been trying to correct instances of this so that things parse
correctly. Not everyone runs their changes by me for comment. So, its
possible that the change was made to fix the space, but usually I suggest
people add an underscore.
I'll into it more next week.
-Steve