With passwd -S user_name
one can find out, if an account is locked, but is there a way to find out when it was locked and who it locked?
Further links:
accountsloginSecurity
With passwd -S user_name
one can find out, if an account is locked, but is there a way to find out when it was locked and who it locked?
Further links:
Best Answer
Currently, yes and no. The security system itself doesn't log historic details of password changes. Since it's a flat file it would be hard for such a record to be accurate and trustworthy, if access to the databases had to exclusive go through some kind of a broker then it would be possible (you could just add the logic to the broker), but with widely accessible flat files, not so much. This is why a lot of LDAP/Kerberos identity services allow this type of auditing but local unix users have a hard time with it.
The closest you can get is to enable operating system audit logging, log all command executions (with command line options) and watch the
/etc/passwd
and/etc/shadow
files. If you can trace the change to being in a certain time period search for in the OS audit records, you might be able to trace it back to a "passwd -l" invocation or someone manually editing/etc/shadow
or/etc/passwd
(in case of unshadowed password).EDIT:
To clarify, the default
passwd
utility on some versions of traditional UNIX (Like Solaris 9, I'm seeing) willsyslog
the "passwd -l
" but I assumed we were on Linux given the GNU version ofpasswd
and that that's still insufficiently complete to be trustworthy.