How can I find out who changed the root password ?
Richard Parsons
AIX 4.3.1
The root password on our machine has been changed twice in the last 3
days, once by a user who got the "Change password" prompt, and then
informed me, the other occurred today and so far I have not found out
who changed it.
Luckily I was logged in as root, so was able to change the password to
something I knew...
How can I find out who changed the password? I will need to know the
tty or pts details to trace the user.
Thanks!
RP
Dan Goodman
the way /etc/security/passwd is ordered, and how the change was made,
sometimes a change to a root-equivalent account will actually change
root's password.
Dan Goodman
-
Miljenko Jandric
tracing down the user who changed the password you should work towards
locking down root access to maximum three people (SysAdmins, if you
have such a beast on site). There's no need for regular users to have
root password.
However, it's probably easier said than done. In the meantime you
might look into "sudo" package to give users controlled "eqivalent to
root" access.
Or if that's too much you MUST make sure you have the ability to
restore root access if this happens in the future. I believe years ago
I've done it by making sure my personal account had read-write access
to /etc/passwd. So if you don't know root password just clear the
second field in /etc/passwd and password is blanked out.
This is a security hole, but you have much bigger problems just by
sharing root password with (l)users.
mj
On 5 Dec 2001 07:36:30 -0800, rwpa...@hotmail.com (Richard Parsons)
wrote:
Norman Levin
pwdadm commands (but pwdadm should NOT work
for root since he is an 'admin = true' user in /etc/security/users file
--
Norman Levin
VM/Dynamics, Inc.
----------------------------
"Miljenko Jandric" <jan...@sympatico.ca> wrote in message
news:3c0e58c1...@news1.on.sympatico.ca...