Re: The format of password change audit events seems to have changed, Can you confirm the correct record type ?

This is an interesting topic. Please, can you tell me what audit rule you are using that generates such records about root's (*or any other account's) password change?*

Sincerely, thank you. -------------------------- Warron French On Thu, Jul 8, 2021 at 3:27 PM Steve Grubb <sgrubb(a)redhat.com&gt; wrote: > On Thursday, July 8, 2021 2:19:54 PM EDT Wieprecht, Karen M. wrote: > > I've noticed that the messages I'm searching for in splunk to show root > > password changes no longer seem to be in the same format. Most of our > > systems run RHEL7 release 7.9, and I believe this is a recent change > > (I've only noticed this problem in the past 3 months or so?), but we do > > have an older 7.5 system, so I was able to use that to compare against > > the 7.5 to identify what's changed. I wanted to confirm which record > I > > should be using now since there are several that get generated now > > > > The key differences seem to be in the message generated and the keyname > > being used for the account being targeted, but I wanted to confirm that > > there isn't some other record I should be looking at to verify that the > > root password was changed in the required timeframe since I see several > > records being generated from a password change, none of which include > > anything as conclusive as the old message that showed the operation as a > > "password change". Here are some fo the fields I'm looking at: > > > > type=USER_CHAUTHOK > > exe=/usr/bin/passwd > > [acct targeted for the passwd change]: > > id=root (old format) > > acct=root (latest format) > > msg > > msg='op=change password (old format) > > msg='op=PAM:chauthok (latest format) > > > > If you can confirm whether this is the info I should be using now to > > confirm password changes, that would be much appreciated. > > I don't have a RHEL 7.9 machine to compare against. I can set one up in > about > a week. On 7.6 the event looks like this: > > type=USER_CHAUTHTOK msg=audit(1625771196.574:162): pid=5113 uid=0 > auid=1000 > ses=1 subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 > msg='op=change > password id=1000 exe="/usr/bin/passwd" hostname=rhel7.3 addr=? > terminal=pts/0 > res=success' > > The problem is that "op= change passwd" has a space in it and will not > parse > right. I have been trying to correct instances of this so that things > parse > correctly. Not everyone runs their changes by me for comment. So, its > possible that the change was made to fix the space, but usually I suggest > people add an underscore. > > I'll into it more next week. > > -Steve