RE: [EXT] Re: The format of password change audit events seems to have changed, Can you confirm the correct record type ?

This is an interesting topic. Please, can you tell me what audit rule you are using that generates such records about root's (*or any other account's) password change?*

Sincerely, thank you. -------------------------- Warron French On Thu, Jul 8, 2021 at 3:27 PM Steve Grubb <sgrubb(a)redhat.com&gt; wrote: > On Thursday, July 8, 2021 2:19:54 PM EDT Wieprecht, Karen M. wrote: > > I've noticed that the messages I'm searching for in splunk to > > show root password changes no longer seem to be in the same > > format. Most of our systems run RHEL7 release 7.9, and I believe > > this is a recent change (I've only noticed this problem in the > > past 3 months or so?), but we do have an older 7.5 system, so I was able to use that to compare against > > the 7.5 to identify what's changed. I wanted to confirm which record > I > > should be using now since there are several that get generated now > > > > The key differences seem to be in the message generated and the > > keyname being used for the account being targeted, but I wanted > > to confirm that there isn't some other record I should be looking > > at to verify that the root password was changed in the required > > timeframe since I see several records being generated from a > > password change, none of which include anything as conclusive as the old message that showed the operation as a > > "password change". Here are some fo the fields I'm looking at: > > > > type=USER_CHAUTHOK > > exe=/usr/bin/passwd > > [acct targeted for the passwd change]: > > id=root (old format) > > acct=root (latest format) > > msg > > msg='op=change password (old format) > > msg='op=PAM:chauthok (latest format) > > > > If you can confirm whether this is the info I should be using now > > to confirm password changes, that would be much appreciated. > > I don't have a RHEL 7.9 machine to compare against. I can set one up > in about a week. On 7.6 the event looks like this: > > type=USER_CHAUTHTOK msg=audit(1625771196.574:162): pid=5113 uid=0 > auid=1000 > ses=1 subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 > msg='op=change > password id=1000 exe="/usr/bin/passwd" hostname=rhel7.3 addr=? > terminal=pts/0 > res=success' > > The problem is that "op= change passwd" has a space in it and will > not parse right. I have been trying to correct instances of this so > that things parse correctly. Not everyone runs their changes by me > for comment. So, its possible that the change was made to fix the > space, but usually I suggest people add an underscore. > > I'll into it more next week. > > -Steve