Hmmm, okay a backtrace could be a problem, but for the future you could write a script that uses a MD5 sum to detect changes in your /etc/passwd. If that script detects a difference, you could diff it with a copy and use that output to check if root is changed. Then with the output of last and a ls -l /etc/passwd you should have the person and change time :-)
> We have an environment where the root password on a solaris box would > be there with more than one person and there sure are situations where > the root password is changed without prior notice. Now could some one > tell me if there is a way to find out when(time) was the Root passwd > changed. I understand one way would be using Tripwire. since we didnt > have tripwire earlier on the machine is there a way to recover the > time. Greetings, Richard. ---- An OS is like swiss cheese, the bigger it is, the more holes you get!
