https://isc.sans.edu/diary/Auditd+is+your+friend/15163
RHEL/CENTOS by default are not setup to monitor the passwd file, but you can make modifications in the conf file as explained above. I don't know if your distro logs access and modifications to /etc/passwd in audit but check in /var/log/audit/* On Tue, Jun 11, 2013 at 12:21 PM, Jack Coats <[email protected]> wrote: > IF someone used sudo like it is 'supposed' to be used (i.e. not how I > use it), then it should be in the sudo log. I am not sure if vipw has > logs, but I doubt it. I am afraid you will be sol (for another > technical tla) in finding this. If you use tripwire or similar it > MIGHT at least indicate when things were changed. > > You could check to see if they are still in the shadow file, but > depending on HOW they were removed then it might not help, but at > least you could have a chance of restoring the ID by reviewing a > passwd file from a backup and just typing it in, possibly leaving the > password field blank. > > Just some thoughts. > >><> ... Jack > > > > > On Tue, Jun 11, 2013 at 11:51 AM, Howard White <[email protected]> wrote: >> Have a client whose login has disappeared. I didn't do it nor do we know >> who would know _how_ much less do it. >> >> Is there a common log that tracks adds, changes or deletes to /etc/passwd? >> >> Howard >> >> -- >> -- >> You received this message because you are subscribed to the Google Groups >> "NLUG" group. >> To post to this group, send email to [email protected] >> To unsubscribe from this group, send email to >> [email protected] >> For more options, visit this group at >> http://groups.google.com/group/nlug-talk?hl=en >> >> --- You received this message because you are subscribed to the Google >> Groups "NLUG" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/groups/opt_out. >> >> > > -- > -- > You received this message because you are subscribed to the Google Groups > "NLUG" group. > To post to this group, send email to [email protected] > To unsubscribe from this group, send email to > [email protected] > For more options, visit this group at > http://groups.google.com/group/nlug-talk?hl=en > > --- > You received this message because you are subscribed to the Google Groups > "NLUG" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- -- You received this message because you are subscribed to the Google Groups "NLUG" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/nlug-talk?hl=en --- You received this message because you are subscribed to the Google Groups "NLUG" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
